[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PAM config and LDAP [WAS: Re: LDAP breaks kcheckpass when not setuid root (#298148)]

On Fri, May 04, 2007 at 02:49:40PM -0700, Steve Langasek wrote:
> It means that pam_unix is able to access your shadow hash on behalf of the
> user, when using root privileges (which is expected and required in the case
> where you want to support password changes via pam_ldap); and that if
> pam_unix is listed first in common-auth before pam_ldap, that this is what
> is going to be done for all logins.
auth    sufficient      pam_ldap.so
auth    sufficient      pam_unix.so nullok_secure try_first_pass

So in my case, the shadow hash is not being accessed, correct?  Now, in
the case of common-password, it is essentially the same (pam_ldap before
pam_unix, but pam_unix has different options).  I have "pam_password
exop" in both /etc/pam_ldap.conf and /etc/libnss-ldap.conf.  So, AIUI,
the hash is not leaving the server for the password change.  Correct?

> "good or bad" depends on your goals for the configuration.
My goal is that it is secure.

Roberto C. Sánchez

Attachment: signature.asc
Description: Digital signature

Reply to: