Re: PAM config and LDAP [WAS: Re: LDAP breaks kcheckpass when not setuid root (#298148)]

To: debian-devel@lists.debian.org
Cc: Roberto C. Sánchez <roberto@connexer.com>
Subject: Re: PAM config and LDAP [WAS: Re: LDAP breaks kcheckpass when not setuid root (#298148)]
From: Steve Langasek <vorlon@debian.org>
Date: Fri, 4 May 2007 16:39:02 -0700
Message-id: <[🔎] 20070504233902.GB23566@dario.dodds.net>
Mail-followup-to: debian-devel@lists.debian.org, Roberto C. Sánchez <roberto@connexer.com>
In-reply-to: <[🔎] 20070504221934.GC32489@miami.connexer.com>
References: <[🔎] 20070504112317.GA6069@laptux.workaround.org> <[🔎] 2fl7irofvzw.fsf@saruman.uio.no> <[🔎] 20070504172916.GA5659@aldi.workaround.org> <[🔎] 20070504191703.GA6457@dario.dodds.net> <[🔎] 20070504213345.GA32489@miami.connexer.com> <[🔎] 20070504214940.GB24471@dario.dodds.net> <[🔎] 20070504221934.GC32489@miami.connexer.com>

On Fri, May 04, 2007 at 06:19:34PM -0400, Roberto C. Sánchez wrote:
> On Fri, May 04, 2007 at 02:49:40PM -0700, Steve Langasek wrote:

> > It means that pam_unix is able to access your shadow hash on behalf of the
> > user, when using root privileges (which is expected and required in the case
> > where you want to support password changes via pam_ldap); and that if
> > pam_unix is listed first in common-auth before pam_ldap, that this is what
> > is going to be done for all logins.

> auth    sufficient      pam_ldap.so
> auth    sufficient      pam_unix.so nullok_secure try_first_pass

> So in my case, the shadow hash is not being accessed, correct?

Correct.

> I have "pam_password exop" in both /etc/pam_ldap.conf and
> /etc/libnss-ldap.conf.  So, AIUI, the hash is not leaving the server for
> the password change.  Correct?

Sounds right, but I don't put passwords in LDAP so I'm not sure.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Reply to:

Follow-Ups:
- Re: PAM config and LDAP [WAS: Re: LDAP breaks kcheckpass when not setuid root (#298148)]
  - From: Roberto C. Sánchez <roberto@connexer.com>

References:
- LDAP breaks kcheckpass when not setuid root (#298148)
  - From: Christoph Haas <haas@debian.org>
- Re: LDAP breaks kcheckpass when not setuid root (#298148)
  - From: Petter Reinholdtsen <pere@hungry.com>
- Re: LDAP breaks kcheckpass when not setuid root (#298148)
  - From: Christoph Haas <haas@debian.org>
- Re: LDAP breaks kcheckpass when not setuid root (#298148)
  - From: Steve Langasek <vorlon@debian.org>
- PAM config and LDAP [WAS: Re: LDAP breaks kcheckpass when not setuid root (#298148)]
  - From: Roberto C. Sánchez <roberto@connexer.com>
- Re: PAM config and LDAP [WAS: Re: LDAP breaks kcheckpass when not setuid root (#298148)]
  - From: Steve Langasek <vorlon@debian.org>
- Re: PAM config and LDAP [WAS: Re: LDAP breaks kcheckpass when not setuid root (#298148)]
  - From: Roberto C. Sánchez <roberto@connexer.com>

Prev by Date: Re: Bug#422297: ITP: g95 -- The G95 fortran compiler
Next by Date: Re: PAM config and LDAP [WAS: Re: LDAP breaks kcheckpass when not setuid root (#298148)]
Previous by thread: Re: PAM config and LDAP [WAS: Re: LDAP breaks kcheckpass when not setuid root (#298148)]
Next by thread: Re: PAM config and LDAP [WAS: Re: LDAP breaks kcheckpass when not setuid root (#298148)]
Index(es):
- Date
- Thread