PAM config and LDAP [WAS: Re: LDAP breaks kcheckpass when not setuid root (#298148)]

To: debian-devel@lists.debian.org
Subject: PAM config and LDAP [WAS: Re: LDAP breaks kcheckpass when not setuid root (#298148)]
From: Roberto C. Sánchez <roberto@connexer.com>
Date: Fri, 4 May 2007 17:33:45 -0400
Message-id: <[🔎] 20070504213345.GA32489@miami.connexer.com>
Mail-followup-to: Roberto C. Sánchez <roberto@connexer.com>, debian-devel@lists.debian.org
In-reply-to: <[🔎] 20070504191703.GA6457@dario.dodds.net>
References: <[🔎] 20070504112317.GA6069@laptux.workaround.org> <[🔎] 2fl7irofvzw.fsf@saruman.uio.no> <[🔎] 20070504172916.GA5659@aldi.workaround.org> <[🔎] 20070504191703.GA6457@dario.dodds.net>

On Fri, May 04, 2007 at 12:17:03PM -0700, Steve Langasek wrote:
> 
> If you use libnss-ldap+pam_unix for authentication, authentication involves
> the system querying the password hash from LDAP across the network, and
> using pam_unix to attempt to authenticate against it.  If normal users do
> not have access to query the password hash from LDAP (a correct
> configuration), pam_unix should fall back to using /sbin/unix_chkpwd, a
> setuid binary that's only allowed to query the password for the current
> user.  You can test whether /sbin/unix_chkpwd works on your system with:
> 
> $ cat | /sbin/unix_chkpwd `id -u -n` nullok ; echo $?
> <your password here>^D^M
> 
> as a non-root user and checking whether the exit value is 0.  If it doesn't
> work, you still have a PAM misconfiguration.  (If it does work, something's
> really broken, but maybe not the configuration...)
> 
This may be starting to drift OT, but here goes.  In my case, I am using
libnss-ldap and libpam-ldap.  I have both pam_unix.so and pam_ldap.so
listed in common-{account,auth,password}.  My LDAP configuration is such
that regular users cannot see passwords, except for their own passwords
once they have authenticated:

access to attrs=userPassword
        by dn="cn=admin,dc=foo,dc=bar" write
        by anonymous auth
        by self write
        by * none

Now, if the incantation above gives a zero, then is that good or bad?  I
am guessing that it is OK, since I also have pam_ldap.so in my
configuration, but I am not sure.

> 
> Er, LDAP is a network service.  If you mean that the LDAP server runs
> locally, that's fine, but otherwise you should take care to protect the
> integrity of your network traffic.  (Even if you use libpam-ldap and aren't
> sending password hashes across the network, you probably don't need a MITM
> attack granting attackers access to your systems.)
> 
Being paranoid, I only allow connections to the LDAP server using the
UNIX domain socket (for local processes on the server) and via SSL.
However, this causes other really annoying problems:

http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/2007-April/001140.html

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: PAM config and LDAP [WAS: Re: LDAP breaks kcheckpass when not setuid root (#298148)]
  - From: Steve Langasek <vorlon@debian.org>

References:
- LDAP breaks kcheckpass when not setuid root (#298148)
  - From: Christoph Haas <haas@debian.org>
- Re: LDAP breaks kcheckpass when not setuid root (#298148)
  - From: Petter Reinholdtsen <pere@hungry.com>
- Re: LDAP breaks kcheckpass when not setuid root (#298148)
  - From: Christoph Haas <haas@debian.org>
- Re: LDAP breaks kcheckpass when not setuid root (#298148)
  - From: Steve Langasek <vorlon@debian.org>

Prev by Date: Bug#422297: ITP: g95 -- The G95 fortran compiler
Next by Date: Re: PAM config and LDAP [WAS: Re: LDAP breaks kcheckpass when not setuid root (#298148)]
Previous by thread: Re: LDAP breaks kcheckpass when not setuid root (#298148)
Next by thread: Re: PAM config and LDAP [WAS: Re: LDAP breaks kcheckpass when not setuid root (#298148)]
Index(es):
- Date
- Thread