[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: sufficient account management checking for locally defined users

On Tue, May 14, 2002 at 11:17:10AM +1000, Martin Schwenke wrote:

> The NSS module in question (nss_ldap) isn't messed up.  As Sam already
> posted, to find out what supplementary groups a user is in, you need
> to retrieve all groups that NSS knows about, which implicitly includes
> the LDAP ones (if that's what nsswitch.conf says to do).  To avoid
> doing that for a locally defined user, you would need to look in only
> the local files, which is part of what I'm advocating.

And you absolutely cannot control that using PAM.

> Now for the bad news: initgroups() is called from the application
> (login/sshd) and not from PAM.  Now that's pretty crappy, because it
> means it can't be configured per application: I can't tell login to
> only look at local users...

Exactly.  The only way to do what you're asking for is by implementing 
it in libc (NSS), not in libpam.

> As far as I'm concerned the initgroups() call should happen in PAM so
> that a different implementation can be substituted.  That's what the
> 'P' in "PAM" is all about.  The current design is broken.  I don't
> think I stand a strong chance of having that design changed,
> reimplemented and accepted upstream (even though I'm willing to do
> great chunks of it myself), so it's time to give up (or rely on an
> LD_PRELOAD hack to get to my root account...  ummm... no!  :-)

And the 'A' and the 'M' say 'authentication modules', which succinctly
defines the scope of PAM.  Retrieving group lists is not an
authentication problem.

>     Steve> If what you're really after is making sure pam_unix is not
>     Steve> used for authenticating LDAP-based accounts when the server
>     Steve> /is/ available, then between nss_ldap and the LDAP server
>     Steve> you already have all the access controls you need to make
>     Steve> sure password hashes are never sent in the clear across the
>     Steve> network.

> No, I want to make sure that pam_ldap is not used for authenticating
> non-LDAP-based accounts!

Easily done:

auth  sufficient  pam_unix.so
auth  required    pam_ldap.so use_first_pass

-- and that's it.  If the account is local, pam_ldap will never be
invoked with the above configuration.  Likewise, list 'files' before
'ldap' in nsswitch.conf, to give optimal lookup times for
getpwnam()/getgrgid() calls on local accounts.

The one slowdown will be with initgroups() (yes, I meant initgroups()
earlier, not getgroups()).  There's no way around that; you can lower
your timeouts in nss_ldap, or you can modify your login app to not call
initgroups().  Those are your only two options, unless you do choose to
modify the PAM API; and there would have to be a very good reason for
Linux-PAM to break compatibility with other PAM implementations.

Steve Langasek
postmodern programmer

Attachment: pgp00006.pgp
Description: PGP signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []