[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: sufficient account management checking for locally defined users



On Mon, May 13, 2002 at 09:39:43AM +1000, Martin Schwenke wrote:
>     Martin> The reason I want to do this is that I don't want pam_ldap
>     Martin> to be used at all when my locally defined users are
>     Martin> logging in.  I see this as a sensible policy that promotes
>     Martin> reliabily.  For example, I will always be able to login as
>     Martin> root, without delay, even if my network is down, pam_ldap
>     Martin> is broken or, worse still, if there's a bug in libdap*
>     Martin> that causes a SIGSEGV.  I don't want to run code that is
>     Martin> irrelevant to my locally defined users, particularly root.

> I suspect that no matter what the timeouts are set to, a serious bug
> in libldap* will mean that they won't be honoured at all...  :-(

> Hmmm, I suppose login probably crashes very quickly...  :-)

> In a previous reply to Sam I commented that we're getting close to a
> solution.  Given pam_unix's reliance on NSS (and therefore, in my
> case, on LDAP) for (building the group list for) locally defined
> users, I no longer think this is true.  pam_unix is too general to be
> useful for being able to reliably login as my locally defined users,
> particularly root.

> If I implement a local_only option on pam_unix might it be accepted
> into pam_unix?  Please?  Andrew?

If an NSS module your system depends on is so badly messed up that you
can't reliably call getpwnam() and getgroups() for a local account, you
will have significant difficulties logging in *regardless* of what PAM
module you're using:  a local_only option for pam_unix would only add
unnecessary complexity to the module.

FWIW, I've never had trouble logging in as root on LDAP-aware systems
when the network (or LDAP server) is down.  This is using 'passwd: files ldap'
in nsswitch.conf.  It may be that this would not work very well if there
were a segfault-inducing bug in a library that nss_ldap depends on, but
bugs in any code loaded by libc are /always/ serious problems.  Adding
options to PAM modules won't change that.

If what you're really after is making sure pam_unix is not used for
authenticating LDAP-based accounts when the server /is/ available, then
between nss_ldap and the LDAP server you already have all the access
controls you need to make sure password hashes are never sent in the
clear across the network. 

Steve Langasek
postmodern programmer

Attachment: pgp00005.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []