Re: LDAP breaks kcheckpass when not setuid root (#298148)

To: debian-devel@lists.debian.org
Cc: Christoph Haas <haas@debian.org>
Subject: Re: LDAP breaks kcheckpass when not setuid root (#298148)
From: Steve Langasek <vorlon@debian.org>
Date: Fri, 4 May 2007 12:17:03 -0700
Message-id: <[🔎] 20070504191703.GA6457@dario.dodds.net>
Mail-followup-to: debian-devel@lists.debian.org, Christoph Haas <haas@debian.org>
In-reply-to: <[🔎] 20070504172916.GA5659@aldi.workaround.org>
References: <[🔎] 20070504112317.GA6069@laptux.workaround.org> <[🔎] 2fl7irofvzw.fsf@saruman.uio.no> <[🔎] 20070504172916.GA5659@aldi.workaround.org>

I suppose you have your immediate problem solved here, but this information
might be useful for others sometime later, so:

On Fri, May 04, 2007 at 07:29:17PM +0200, Christoph Haas wrote:
> > This sounds like you have set up LDAP authentication incorrectly, as I
> > am able to lock the screen with LDAP authentication.  Correctly set
> > up, pam-ldap should do authentication by binding to the LDAP server
> > over SSL, and this do not require any special privileges.

> Okay, so libpam-ldap is mandatory in that case? Good to know. Most of
> the documentation I found said that only libnss-ldap is needed for login
> and libpam-ldap's only use is for changing the password over LDAP.

If you use libnss-ldap+pam_unix for authentication, authentication involves
the system querying the password hash from LDAP across the network, and
using pam_unix to attempt to authenticate against it.  If normal users do
not have access to query the password hash from LDAP (a correct
configuration), pam_unix should fall back to using /sbin/unix_chkpwd, a
setuid binary that's only allowed to query the password for the current
user.  You can test whether /sbin/unix_chkpwd works on your system with:

$ cat | /sbin/unix_chkpwd `id -u -n` nullok ; echo $?
<your password here>^D^M

as a non-root user and checking whether the exit value is 0.  If it doesn't
work, you still have a PAM misconfiguration.  (If it does work, something's
really broken, but maybe not the configuration...)

> However whether it's SSL or not shouldn't matter really since this is
> a local kcheckpass that needs to access the pam/nss configuration on the
> local machine. But generally SSL is surely preferred.

Er, LDAP is a network service.  If you mean that the LDAP server runs
locally, that's fine, but otherwise you should take care to protect the
integrity of your network traffic.  (Even if you use libpam-ldap and aren't
sending password hashes across the network, you probably don't need a MITM
attack granting attackers access to your systems.)

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Reply to:

Follow-Ups:
- PAM config and LDAP [WAS: Re: LDAP breaks kcheckpass when not setuid root (#298148)]
  - From: Roberto C. Sánchez <roberto@connexer.com>

References:
- LDAP breaks kcheckpass when not setuid root (#298148)
  - From: Christoph Haas <haas@debian.org>
- Re: LDAP breaks kcheckpass when not setuid root (#298148)
  - From: Petter Reinholdtsen <pere@hungry.com>
- Re: LDAP breaks kcheckpass when not setuid root (#298148)
  - From: Christoph Haas <haas@debian.org>

Prev by Date: Re: LDAP breaks kcheckpass when not setuid root (#298148)
Next by Date: Bug#422297: ITP: g95 -- The G95 fortran compiler
Previous by thread: Re: LDAP breaks kcheckpass when not setuid root (#298148)
Next by thread: PAM config and LDAP [WAS: Re: LDAP breaks kcheckpass when not setuid root (#298148)]
Index(es):
- Date
- Thread