Re: Possibly incorrect pam.d/* files in many packages

To: "Nikita V. Youshchenko" <yoush@cs.msu.su>, Stephen Frost <sfrost@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: Possibly incorrect pam.d/* files in many packages
From: Philipp Matthias Hahn <pmhahn@debian.org>
Date: Wed, 29 Sep 2004 14:21:11 +0200
Message-id: <[🔎] 20040929122111.GA16632@titan.lahn.de>
In-reply-to: <[🔎] 200409282358.20397@sercond.localdomain>
References: <[🔎] 200409271814.42078@zigzag.lvk.cs.msu.su> <[🔎] 20040928072436.GA5076@titan.lahn.de> <[🔎] 200409282358.20397@sercond.localdomain>

Hello Nikita, Stephen!

On Tue, Sep 28, 2004 at 11:58:10PM +0400, Nikita V. Youshchenko wrote:
> > On Mon, Sep 27, 2004 at 06:14:41PM +0400, Nikita V. Youshchenko wrote:
> > > I just found that in some files in /etc/pam.d/ some 'required' lines
> > > are after '@include' lines.
...
> > > AFAIK, '@include common-auth' is there to make it easy to set up other
> > > (than pam_unix) auth methods. In a common LDAP accounts setup,
> > > common-auth will have 'sufficient' line for one auth method (e.g.
> > > pam_unix), and 'required' line for another method (e.g. pam_ldap).
> >
> > So don't use "sufficient". Because of this I'm using the long format:
> > required == [success=ok new_authtok_reqd=ok ignore=ignore default=bad]
> > sufficient == [success=done new_authtok_reqd=done default=ignore]
...
> Almost every text in the internet that is related to LDAP accounts setup,
> suggests to use 'sufficient' PAM lines. If this is not correct for Debian,
> this should be documented in a very noticable place! (e.g. in
> commented-out lines in default /etc/pam.d/common-* files.

The "@some-file" is a Debian extension. RedHat for example has a
pam_stack.so for similar purpose, but I don't know if and how they
handle "sufficient" better.

Yes, you're right that this needs documentation. When I was deploying
LDAP, I didn't find any good documentation, all of them just scratched
the top of the problems deploying LDAP.


Stephen: Can you add the following lines to libpam-ldap/README.Debian

- Be very careful when you use "sufficient pam_ldap.so" in Debians
/etc/pam.d/common-* files: Some services can place other "required"
PAM-modules after the includes, which will be ignored if pam_ldap.so
succeeds. As a workaround, use something like the following construct:
	# Check local authentification first, so root can still login
	# while LDAP is down.
	auth [success=1 default=ignore] pam_unix.so
	auth required pam_ldap.so use_first_pass
	auth required pam_permit.so
The third line is needed, so "success=1" can skip over one module and
still has a module to jump to. Without that, PAM segfaults!

- If you want to use the "pam_check_host_attr" feature, make sure
"pam_unix.so" doesn't provide a valid "account" via the Name Service
Switch (NSS), which overrides your LDAP configuration. Don't use "ldap"
for "shadow" in /etc/nsswitch.conf, just use "shadow: files". For PAM,
use something like the following:
	# Try local /etc/shadow first and skip LDAP on success
	account [success=1 default=ignore] pam_unix.so
	account required pam_ldap.so
	account required pam_permit.so

BYtE
Philipp
-- 
Philipp Matthias Hahn <pmhahn@debian.org>
 GPG/PGP: 9A540E39 @ keyrings.debian.org

Reply to:

Follow-Ups:
- Re: Possibly incorrect pam.d/* files in many packages
  - From: "Nikita V. Youshchenko" <yoush@cs.msu.su>

References:
- Possibly incorrect pam.d/* files in many packages
  - From: "Nikita V. Youshchenko" <yoush@cs.msu.su>
- Re: Possibly incorrect pam.d/* files in many packages
  - From: Philipp Matthias Hahn <pmhahn@debian.org>
- Re: Possibly incorrect pam.d/* files in many packages
  - From: "Nikita V. Youshchenko" <yoush@cs.msu.su>

Prev by Date: Re: [ANNOUNCE] linux.conf.au 2005 call for papers
Next by Date: Re: Updated: XDM, GDM, KDM, WDM shootout :-)
Previous by thread: Re: Possibly incorrect pam.d/* files in many packages
Next by thread: Re: Possibly incorrect pam.d/* files in many packages
Index(es):
- Date
- Thread