Deprecating pam_stack.so
Bernardo Innocenti
bernie at develer.com
Sat Oct 15 00:05:58 UTC 2005
Lamont R. Peterson wrote:
> The correct solution is simply this: DO NOT add root (uid == 0) authentication
> credentials in your central authentication stores. If you already have root
> credentials in there, GET THEM OUT OF THERE. root should only be able to
> authenticate locally on every single box. The security danger of not
> following this policy can be quite high.
I agree, but I think the correct solution is getting the clients not
to trust their LDAP server when authenticating uid=0.
Just removing root from the directory isn't going to make clients more
secure. IP spoofing and other tricks can be used to fake another LDAP
server with a root account. Of course you may be using TLS and
install SSL certificates on every clients, but I doubt any busy
system administrator would go this far to protect *clients* on the LAN.
> That said, it still might not be a bad idea to implement the extra config line
> that Tomas Mraz suggested, earlier...as an extra protection measure. The
> disadvantage of adding it is that you will have to do so on all systems you
> want to have connected to your central authentication store (LDAP, Kerberos,
> whatever).
>
> Perhaps it should be added to the default PAM configuration for FC5. I would
> vote for that.
I'd vote for that too.
>> Maybe this other project would be more appropriate:
>>
>> http://sourceforge.net/projects/pam-ssh-agent/
>>
>> PAM module that spawns a ssh-agent and adds identities using the
>> password supplied at login.
>
> I like this. It would be nice if FC5 would ship pam-ssh-agent. I'll vote for
> it :).
Good. Who should we bug to get it into FC5? :-)
--
// Bernardo Innocenti - Develer S.r.l., R&D dept.
\X/ http://www.develer.com/
More information about the fedora-devel-list
mailing list