Pam configuration with ldap root user

Guillaume CHARDIN guillaume.chardin at gmail.com
Mon Aug 24 08:19:18 UTC 2009 

> I'm not very clear what you mean by "accept connection from a  user
>> with uid&gid = 0". You'd have to do something on purpose
> to lock root (uid=0) out of the system.


Let me explain more !
On my systems, all root account are local (as all the default
installation of every distrib do - infos are stored in /etc/passwd,
/etc/shadows, and in /etc/groups.) For my company i setup a ldap
directory to have a centralized administrations for the accounts. I'm
able to connect on every workstation without any unprivileged user and
home folder, default shell, groups or any user extended properties are
read without any problem.
Now the next step is to have a centralized root account. I create it
in the directory, like a standard user but with the special uid & gid
attribute set to 0. And as i wrote before on this list, this user is i
unable to connect to any fedora station while the pam config is not
changed (see my precedent post).
The purpose of this mail, is to speak about the potentially security
weakness of this setup -specially the modification of PAM- and what
can be the effect of such modification.
Maybe this is not the right ML to post and if you think so, i'll
search elsewhere for my answer :-D

> I'll try to share my limited understanding of PAM.
> "auth" merely establishes the user identity -is he who he claims to be?
Ok with that

> The line
>    "auth  requisite     pam_succeed_if.so uid >= 500 quiet"
> is not to permit login, but rather to establish a user's
> identity; to be precise, a user whose id is not that of a
> system account.
And if it's fail as pam man said
(http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-file.html)
the status is set to failed if any other module failed, or control is
return to application...

> based on the line
>    "auth        required      pam_deny.so"
> The users whose IDs are listed in this block can be denied
> accesss (pam_deny.so) if their identity is not properly confirmed.
Ok, so base on the previous item and the pam manual  :) If the
pam_succeed_if failed because my user use an uid < 500 so the pam_deny
module will issue a failure and block the auth phase.

> Later, these lines
>      "account     sufficient    pam_succeed_if.so uid < 500 quiet
>       account     required      pam_permit.so"
> translate into "are you root or a system account? no
> problem! go right ahead!"; otherwise, some checks will run to
> further qualify the incoming user.
You are a system account  (uid lower than 500) then account is permit to login.
But what is the purpose of  " account     required      pam_permit.so"
? it always permit login no ?

Thanks for your time ! :)

-- 
Guillaume

More information about the fedora-list mailing list