Re: local authentication spoofing using libnss-ldap
W dniu 2011-12-22 17:01, Yann Autissier pisze:
I am using the libnss-ldap and libpam-ldap packages with default
NSS is configured to allow passwd and group resolution over ldap.
user@host:~$ cat /etc/nsswitch.conf
passwd: compat ldap
group: compat ldap
shadow: compat ldap
If a user account exists in local /etc/passwd and in the ldap database,
the user can authenticate with both passwords, but is always logged in
as the local user.
It seems to mee that nss should resolve the correct uid.
I'm not sure what you mean by 'the correct uid'. NSS is responsible only
for mapping from UID to name. And it does it in order specified in
nsswitch.conf. So if you want to see what name UID=12345 maps to, the
system (in presented configuration) first tries to look into
/etc/passwd, then checks the ldap database for entry with apropriate
attribute with the value of 12345 (don't remember ATM which attribute it
is by default).
I can create a ldap account named 'root', with a weak password and uid
12345, then su - on the system and log in as root with the weak
password, and get uid 0.
It's not debian related, but I would like to know if this is a
Again, it has nothing to do with NSS. I suppose (sorry, don't have
a box with default config anywhere near) it can be caused by PAM stack
misconfiguration where pam tries to authenticate against local users
database and then, when it fails, tries again with the same password
against LDAP. If you did authentication the other way around - first
checking in LDAP, and only then in local file, you should be OK
(remember about restricting UID range in pam_ldap).
As I mentioned, I don't have a way to confirm this on a live box, so
please correct me if I'm wrong.