Re: LDAP breaks kcheckpass when not setuid root (#298148)

[Christoph Haas <haas@debian.org>]

Petter,

On Fri, May 04, 2007 at 05:29:07PM +0200, Petter Reinholdtsen wrote:
> [Christoph Haas]
> > I'm unhappy with the outcome of the bug #298148 (kdebase-bin: kcheckpass
> > needs setuid bit for ldap authentication). When using libnss-ldap and
> > libpam-ldap (optionally) people who lock their screen in KDE will not be
> > able to unlock the screen and may (like me) lose data because they
> > finally give up and Ctrl+Alt+Backspace. :( It turned out that unlocking
> > the screen currently only works if the /usr/bin/kcheckpass binary is
> > made setuid root.
> 
> This sounds like you have set up LDAP authentication incorrectly, as I
> am able to lock the screen with LDAP authentication.  Correctly set
> up, pam-ldap should do authentication by binding to the LDAP server
> over SSL, and this do not require any special privileges.

Okay, so libpam-ldap is mandatory in that case? Good to know. Most of
the documentation I found said that only libnss-ldap is needed for login
and libpam-ldap's only use is for changing the password over LDAP.

However whether it's SSL or not shouldn't matter really since this is
a local kcheckpass that needs to access the pam/nss configuration on the
local machine. But generally SSL is surely preferred.

> This is the configuration I use:
> 
>   # egrep -v '^#|^$' /etc/pam.d/common-auth /etc/pam_ldap.conf  /etc/nsswitch.conf
>   /etc/pam.d/common-auth:auth     optional        pam_group.so
>   /etc/pam.d/common-auth:auth     sufficient      pam_unix.so shadow nullok_secure
>   /etc/pam.d/common-auth:auth     required        pam_ldap.so use_first_pass

Where did you find this documented? I admit I'm no PAM guru at all.
In theory it's simple but in practice PAM has never obeyed my orders.
In /usr/share/doc/libpam-ldap/examples/ the example pam.d files have
pam_ldap.so mentioned in every file which is surely worse than using
common-auth.

I just tried your pam.d/common-auth configuration and then indeed
kcheckpass works without running setuid root. A miracle! :)

>   /etc/pam_ldap.conf:host ldap.uio.no
>   /etc/pam_ldap.conf:base cn=users,cn=system,dc=uio,dc=no
>   /etc/pam_ldap.conf:ldap_version 3
>   /etc/pam_ldap.conf:pam_password crypt
>   /etc/pam_ldap.conf:ssl start_tls
>   /etc/pam_ldap.conf:tls_cacertfile /etc/w3_cacert.pem
>   /etc/pam_ldap.conf:tls_checkpeer yes

You don't need a "rootbinddn" here? I tried to remove it but couldn't
login as a user any more.

> The LDAP server is set up to only allow binding using passwords over
> 128-bit encrytped SSL, to make sure the password isn't send in clear
> text.

Since the password should be either MD5 or Crypt (what I use) the
password should not go over the line in cleartext anyway. However it may
be cracked with john probably when sniffed on the net.

Thanks in advance for the hints. I'm taking notes already to document
this better.

 Christoph
-- 
~
~
".signature" [Modified] 1 line --100%--                1,48         All