pam or ldap storing sessions with old passwords?
Ido Levy
IDOL at il.ibm.com
Thu Apr 10 13:47:55 UTC 2008
It is a wild guess,
but can you try restart the nscd daemon and see if the problem still
exists.
> Hi,
>
> We're having a bit of a problem here at work and I can't seem to find a
> solution.
>
> Problem is:
> Whenever a user changes password in our ldap he/she is able to login
> with both the old and the new password on some servers, even though
> theres is only one user entry in ldap.
>
> It seems PAM or maybe LDAP stores a session with the old authentication
> so for a unknown amount of time (at least a week or till server reboot)
> the user can login with the old password.
>
> We have a lot of servers and it only seem to be a problem on RedHat
> Fedora 4. I can't reproduce the problem on RH Fedora 8.
>
> The RH4 PAM system-auth looks like this:
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass nodelay
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_ldap.so use_first_pass debug
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3
> password sufficient pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password sufficient pam_ldap.so use_authtok
> password required pam_deny.so
>
> #session optional pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session required pam_unix.so
> session optional pam_ldap.so
>
> Is there anyone who got any idea on why this is happening? It's quite
> the security problem :(
>
> Thanks
> --- Frank Nørvig
> http://www.noervig.dk
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
More information about the Pam-list
mailing list