Pam configuration with ldap root user

Aldo Foot lunixer at gmail.com
Fri Aug 21 23:54:56 UTC 2009 

On Fri, Aug 21, 2009 at 11:06 AM, Guillaume
CHARDIN<guillaume.chardin at gmail.com> wrote:
> hi everyone, I hope someone can help me on this...
>
> I modify the pam configuration today to accept connection from a  user
> with uid&gid = 0. In /etc/pam.d/system-auth previously have this lines
> :
>
> ###########################################################################
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_ldap.so use_first_pass
> auth        required      pam_deny.so
>
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account     required      pam_permit.so
>
> password    requisite     pam_cracklib.so try_first_pass retry=3
> password    sufficient    pam_unix.so sha512 shadow nullok
> try_first_pass use_authtok
> password    sufficient    pam_ldap.so use_authtok
> password    required      pam_deny.so
>
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_ldap.so
> ###################################################################################
> and i modify the auth part to :
>
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        sufficient     pam_succeed_if.so uid = 0
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_ldap.so use_first_pass
> auth        required      pam_deny.so
>
>
> I'm not sure about the consequences of this modifications.
> But tell me if i'm wrong, but
> a) the 3rd line "auth  sufficient     pam_succeed_if.so uid = 0"
> permit user with uid lower than 0 to authenticate against the system
> and log it
> b) the 4th line permit login to user with uid more than 500. do not
> log it AND if any of other auth "method" have failed it return it to
> the pgm making the call to pam.
>
> right ?
>
> Thanks for your help.
>
> --
> Guillaume
______

I'm not very clear what you mean by "accept connection from a  user
> with uid&gid = 0". You'd have to do something on purpose
to lock root (uid=0) out of the system.

I'll try to share my limited understanding of PAM.

"auth" merely establishes the user identity -is he who he claims to be?

The line
    "auth  requisite     pam_succeed_if.so uid >= 500 quiet"
is not to permit login, but rather to establish a user's
identity; to be precise, a user whose id is not that of a
system account.

based on the line
    "auth        required      pam_deny.so"
The users whose IDs are listed in this block can be denied
accesss (pam_deny.so) if their identity is not properly confirmed.

Later, these lines
      "account     sufficient    pam_succeed_if.so uid < 500 quiet
       account     required      pam_permit.so"
translate into "are you root or a system account? no
problem! go right ahead!"; otherwise, some checks will run to
further qualify the incoming user.

BTW, if a pam file is misconfigured one could end up being locked out
of the system.

PAM can be a pain. For further understanding read some man pages.
 man pam_succeed_if
 man pam_permit
 man pam_deny

HTH,
~af

More information about the fedora-list mailing list