Deprecating pam_stack.so

Lamont R. Peterson lamont at gurulabs.com
Thu Oct 13 17:56:56 UTC 2005 

On Wednesday 12 October 2005 07:02pm, Bernardo Innocenti wrote:
> Tomas Mraz wrote:
[SNIP]
> >>    Also, you can login as root with root's password from ldap
> >>    even tough there's a valid root entry in /etc/passwd.
> >
> > That's expected as both pam_ldap and pam_unix are sufficient entries.
> > If you want to prevent that you can insert pam_succeed_if
>
> Sorry, I don't quite understand how to set it up to reject uid == 0
> just for pam_ldap and not for pam_unix.

The correct solution is simply this: DO NOT add root (uid == 0) authentication 
credentials in your central authentication stores.  If you already have root 
credentials in there, GET THEM OUT OF THERE.  root should only be able to 
authenticate locally on every single box.  The security danger of not 
following this policy can be quite high.

That said, it still might not be a bad idea to implement the extra config line 
that Tomas Mraz suggested, earlier...as an extra protection measure.  The 
disadvantage of adding it is that you will have to do so on all systems you 
want to have connected to your central authentication store (LDAP, Kerberos, 
whatever).

Perhaps it should be added to the default PAM configuration for FC5.  I would 
vote for that.

> I also don't understand what the "uid < 100" condition inserted
> by system-config-auth is for.

There are only two kinds of accounts as far as the kernel is concerned; root 
and everyone else.  We humans think of it in terms of three kinds of 
accounts; "root" (superuser), "system" (not-superuser and no human being 
associated, typically, 0 < system account uid < 100) and 
"regular-user" (human being).

Typically, one should not be able to login to "system" accounts.  
Occasionally, it is necessary to run a bunch of shell commands/scripts as a 
system account (installing some DB engines comes to mind), in which case root 
can "su - system-account" to do so.

SELinux also helps with this "issue".

[SNIP]
> > This is a problem as the passphrases for ssh keys can be different from
> > the user's system password. So the pam_ssh is definitely not a
> > replacement for ssh-agent.
>
> Yes, we would need half of what pam_ssh does: instead of authenticating
> the user against his ssh key, it should just load the key iff the
> passphrase happens to match the account password.
>
> Maybe this other project would be more appropriate:
>
>  http://sourceforge.net/projects/pam-ssh-agent/
>
>  PAM module that spawns a ssh-agent and adds identities using the
>  password supplied at login.

I like this.  It would be nice if FC5 would ship pam-ssh-agent.  I'll vote for 
it :).
-- 
Lamont R. Peterson <lamont at gurulabs.com>
Senior Instructor
Guru Labs, L.C. [ http://www.GuruLabs.com/ ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20051013/58a1e5bb/attachment-0002.bin

More information about the devel mailing list