On Mon, 2010-05-31 at 21:29 -0700, Steve Langasek wrote: 
> Well, that's an interesting question.  I don't have a definitive
> answer for you about whether these should all be Additional instead of
> Primary. Currently on my system, I have pam_krb5 as 'Additional',
> because it imposes other checks in addition to those of pam_unix
> (pam_krb5 never implies a separate NSS backend); and pam_winbind is
> 'Primary', which is not what people want in all situations - you may
> want to impose other group membership requirements with pam_winbind's
> 'require_membership_of=' option - but I don't see any way that it's
> harmful (insecure) to do this by default. So I *could* move this to
> 'Additional' (and add the 'unknown_ok' option), but I don't see any
> reason that it's required to do so; and OTOH it might provoke network
> delays in critical paths if we did.

Thanks for your answer. I would expect that all authorisation checks
should be done for all registered PAM modules (as long as
user_unknown=ignore and/or similar is supplied). Do you think that any
module other than pam_unix should be primary?

I would think that for any general user authentication to work user
information should be exposed through NSS and therefore pam_unix should
always be called to do authorisation checks based on that information.

> So while it's clearly a bug for the *ldap* profiles to be marked
> Primary for authorization, I think it's fine for pam_unix to be listed
> as Primary.  What do you think?

I have just done some testing and if LDAP does not provide /etc/shadow
information (not entirely unheard of) pam_unix does not return success.
In this configuration you would need to have pam_ldap as Primary or move
everything to Additional. I haven't tested what happens if LDAP provides
empty shadow information.

To get all modules playing along nicely in the Additional section for
all tested configurations you need to have this as control expression
for every module (at least for pam_unix and pam_ldap):
  [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore
  authinfo_unavail=ignore default=bad]
This is quite a long list and a bit ugly but works for both
configurations.

I don't think it's unreasonable to not provide shadow information from
LDAP. In fact in some ways it is nicer (you don't get authentication
failure messages in your log from pam_unix).

-- 
-- arthur - [email protected] - http://people.debian.org/~adejong --

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to