[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: LDAP breaks kcheckpass when not setuid root (#298148)

[Christoph Haas]
> Okay, so libpam-ldap is mandatory in that case? Good to know. Most
> of the documentation I found said that only libnss-ldap is needed
> for login and libpam-ldap's only use is for changing the password
> over LDAP.

Yes, pam is needed to do proper authentication (password checking),
and nss is needed to find information about users and groups.  Yes,
you can use nss to find password hashes and authenticate locally after
fetching the hash using LDAP, but it is a very bad idea, as you really
want to avoid password hashes from leaving your LDAP server.

> However whether it's SSL or not shouldn't matter really since this
> is a local kcheckpass that needs to access the pam/nss configuration
> on the local machine. But generally SSL is surely preferred.

I do not understand your comment.

pam-ldap send the password to the LDAP server, and the LDAP server
accept or deny the connection.  If this connection isn't done using
SSL (or TLS), the password is sent in clear text over the net to the
LDAP server.  You do not want that, so you want to make sure pam-ldap
uses SSL or TLS.

nss-ldap on the other hand do not send any passwords, it only fetches
information from the LDAP server, and it does it fairly often, so you
do not want the overhead of encryption there, and you also want to
make sure nscd is running to cache any search results to reduce the
amount of LDAP trafic needed.

> Where did you find this documented? I admit I'm no PAM guru at all.
> In theory it's simple but in practice PAM has never obeyed my
> orders.  In /usr/share/doc/libpam-ldap/examples/ the example pam.d
> files have pam_ldap.so mentioned in every file which is surely worse
> than using common-auth.

Not sure.  It is the default configuration in Debian Edu.

> I just tried your pam.d/common-auth configuration and then indeed
> kcheckpass works without running setuid root. A miracle! :)


> You don't need a "rootbinddn" here? I tried to remove it but couldn't
> login as a user any more.

No.  It is only needed if you want your root user to be able to update
the LDAP database as a privileged user.  Normally, you do not want
this.  The users can be allowed to change their own password if the
LDAP server give them write access to their own LDAP entry, and there
is no need for the rootbinddn for this.

> Since the password should be either MD5 or Crypt (what I use) the
> password should not go over the line in cleartext anyway. However it
> may be cracked with john probably when sniffed on the net.

Actually, you got it backwards, as explained above.  pam-ldap isn't
using the password hash to check the password.  It is passing the
password over to the LDAP server (using an LDAP bind), and letting the
LDAP server decide if the password is correct or not.

Petter Reinholdtsen

Reply to: