On Mon, 2010-05-31 at 21:29 -0700, Steve Langasek wrote: > Well, that's an interesting question. I don't have a definitive > answer for you about whether these should all be Additional instead of > Primary. Currently on my system, I have pam_krb5 as 'Additional', > because it imposes other checks in addition to those of pam_unix > (pam_krb5 never implies a separate NSS backend); and pam_winbind is > 'Primary', which is not what people want in all situations - you may > want to impose other group membership requirements with pam_winbind's > 'require_membership_of=' option - but I don't see any way that it's > harmful (insecure) to do this by default. So I *could* move this to > 'Additional' (and add the 'unknown_ok' option), but I don't see any > reason that it's required to do so; and OTOH it might provoke network > delays in critical paths if we did.
Thanks for your answer. I would expect that all authorisation checks should be done for all registered PAM modules (as long as user_unknown=ignore and/or similar is supplied). Do you think that any module other than pam_unix should be primary? I would think that for any general user authentication to work user information should be exposed through NSS and therefore pam_unix should always be called to do authorisation checks based on that information. > So while it's clearly a bug for the *ldap* profiles to be marked > Primary for authorization, I think it's fine for pam_unix to be listed > as Primary. What do you think? I have just done some testing and if LDAP does not provide /etc/shadow information (not entirely unheard of) pam_unix does not return success. In this configuration you would need to have pam_ldap as Primary or move everything to Additional. I haven't tested what happens if LDAP provides empty shadow information. To get all modules playing along nicely in the Additional section for all tested configurations you need to have this as control expression for every module (at least for pam_unix and pam_ldap): [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad] This is quite a long list and a bit ugly but works for both configurations. I don't think it's unreasonable to not provide shadow information from LDAP. In fact in some ways it is nicer (you don't get authentication failure messages in your log from pam_unix). -- -- arthur - [email protected] - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part

