1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#267023: libpam-ldap allows unauthorized login with pam_chech_host_a

    From Rik Theys@1:229/2 to All on Fri Aug 20 12:50:09 2004
    From: [email protected]

    Package: libpam-ldap
    Version: 164-2
    Severity: grave
    Tags: sarge security

    When I configure /etc/pam_ldap.conf to use the host attribute (set 'pam_check_host_attr yes') and use the 'login' pam.d file from the
    examples directory in /usr/share/doc/libpam-ldap/examples/pam.d, users
    that are not allowed to login can still login. The "Access denied for
    this host" is shown but not effective.

    Users that are not supposed to be able to login on my server can still
    login.

    Transcript:
    -----------
    Login: fedora
    Password:
    Access denied for this host

    Last login: Fri Aug 20 11:15:40 2004 from sarge
    [fedora@sarge Fedora]$

    The correct behaviour would be to disallow access to the system.

    My /etc/pam.d/login file:
    -------------------------
    #%PAM-1.0
    auth required /lib/security/pam_securetty.so
    auth required /lib/security/pam_nologin.so
    auth sufficient /lib/security/pam_ldap.so
    auth required /lib/security/pam_unix_auth.so try_first_pass
    account sufficient /lib/security/pam_ldap.so
    account required /lib/security/pam_unix_acct.so
    password required /lib/security/pam_cracklib.so
    password required /lib/security/pam_ldap.so
    password required /lib/security/pam_pwdb.so use_first_pass
    session required /lib/security/pam_unix_session.so
    #session optional /lib/security/pam_console.so

    My /etc/nsswitch.conf file:
    ---------------------------
    passwd: files ldap
    group: files ldap
    shadow: files ldap

    hosts: files dns ldap
    networks: files

    protocols: db files
    services: db files
    ethers: db files
    rpc: db files

    netgroup: files ldap

    automount: files ldap
    aliases files ldap

    libnss-ldap is also installed and configured to use LDAP.

    I am using Debian 3.1 (sarge), kernel 2.6.7-1-686-smp

    Version of dependencies of libpam-ldap:

    sarge:~# COLUMNS=120 dpkg -l | egrep '(libc6|libldap2|libpam0g)'
    ii libc6 2.3.2.ds1-13
    ii libc6-dev 2.3.2.ds1-13
    ii libgpmg1 1.19.6-12.1
    ii libgpmg1-dev 1.19.6-12.1
    ii libldap2 2.1.30-2
    ii libldap2-dev 2.1.30-2
    ii libpam0g 0.76-22
    ii libpam0g-dev 0.76-22

    --
    Rik Theys
    ----------------------------------------------------------------
    <<Any errors in spelling, tact or fact are transmission errors>>


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)
  • From Stephen Frost@1:229/2 to [email protected] on Fri Aug 20 14:40:09 2004
    From: [email protected]

    * Rik Theys ([email protected]) wrote:
    Package: libpam-ldap
    Version: 164-2
    Severity: grave
    Tags: sarge security

    Well, first you might test 169-1, though I doubt that's the problem
    here.

    When I configure /etc/pam_ldap.conf to use the host attribute (set 'pam_check_host_attr yes') and use the 'login' pam.d file from the
    examples directory in /usr/share/doc/libpam-ldap/examples/pam.d, users
    that are not allowed to login can still login. The "Access denied for
    this host" is shown but not effective.

    The example might suck. PAM is a rather annoying system. I think you
    may have to have something a little better in your PAM files. I get the feeling that the problem might be that you've got 'auth sufficient' wrt pam_ldap, and that's failing, but then it tries 'auth required' using pam_unix_auth, and that works. Since you've got libnss-ldap installed
    that seems even more possible since pam_unix_auth will use NSS, and thus libnss-ldap.

    I'm about to head in to work but I'll see about setting up a similar
    test case and will look at my configs to get a better idea. I
    *seriously* doubt pam_ldap is returning the wrong thing to the PAM stack though. Oh, thinking about it, a simple thing might be to drop 'ldap'
    from the shadow: line in your nsswitch.conf.

    Stephen

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)

    iD8DBQFBJeqUrzgMPqB3kigRAqs6AJ9KPM+bEd/HoVWDTdg8cNzHIWYjpwCfW1eg bxYKqjyTcz0GZZKuE+h38Uo=
    =eROq
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)
  • From Rik Theys@1:229/2 to Stephen Frost on Fri Aug 20 15:00:16 2004
    From: [email protected]

    Stephen Frost wrote:
    Well, first you might test 169-1, though I doubt that's the problem
    here.

    Tried it. Doesn't fix it.

    The example might suck. PAM is a rather annoying system. I think you
    may have to have something a little better in your PAM files. I get the

    I agree.

    I was happy to notice that Debian was the only distribution that did not
    suffer from the problem other distributions have: if you configure
    PAM/NSS (using 'authconfig') to use LDAP and the network goes down, even
    root cannot login on the machine :-(. On RedHat bugzilla this bug was
    filed against RH7.2 and it's still not fixed.

    feeling that the problem might be that you've got 'auth sufficient' wrt pam_ldap, and that's failing, but then it tries 'auth required' using pam_unix_auth, and that works. Since you've got libnss-ldap installed
    that seems even more possible since pam_unix_auth will use NSS, and thus libnss-ldap.

    Oh, thinking about it, a simple thing might be to drop 'ldap'
    from the shadow: line in your nsswitch.conf.

    I've tried that. And it works but I don't think it's the way it should.

    An LDAP user can log in OK
    local user can log in OK
    An LDAP user without the correct 'host' attribute:

    ======================================
    sarge login: fedora
    password:
    Access denied for this host

    Authentication service cannot retrieve authentication info.

    sarge login:
    ======================================

    Greetings,
    --
    Rik Theys


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)
  • From Philipp Matthias Hahn@1:229/2 to All on Fri Aug 20 15:10:11 2004
    From: [email protected]

    Hello!

    I have a setup using LDAP. The problem is indeed pam_unix.so, because is
    always returns success when used for "account" and when libnss-ldap is
    used in /etc/nsswitch.conf.

    What works for me is to remove "ldap" from /etc/nsswitch.conf and use
    the following lines in /etc/pam.d/common-account:
    account [success=1 default=ignore] pam_unix.so
    account [success=ok new_authtok_reqd=ok ignore=ignore default=bad perm_denied=bad] pam_ldap.so
    account required pam_permit.so

    BYtE
    Philipp
    --
    Philipp Matthias Hahn <[email protected]>
    GPG/PGP: 9A540E39 @ keyrings.debian.org


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)