Dear list,
As a side effect of using login_ldap from ports, I encounter trouble
using skeyinit and lock for regular users. This appears to be caused
by the permission I put in place on /etc/login.conf (0600) to shield
off login_ldap's bindpw attribute.
Unsurprisingly, lifting these restrictions makes skeyinit and lock
happy again as they can obtain their desired login class information.
Is there a way to open up login.conf without divulging the bindpw?
Reading the login_ldap and login.conf man pages, I did not find any.
So far, I see two possible remedies: [1] patching login_ldap to obtain
sensitive data in a similar way as login_radius does from /etc/raddb
or [2] make /etc/login.conf readable to the 'auth' group, as both lock
and skeyinit have their SGID bits set.
Since [2] is less intrusive, I am inclined to take that route. Are
there any setbacks to expect? Other suggestions are more than welcome,
of course.
Cheers,
Rogier
List of the symptoms:
$ skeyinit
Reminder - Only use this method if you are directly connected
or have an encrypted channel. If you are using telnet,
hit return now and use skeyinit -s.
skeyinit: Password incorrect
And a corresponding log entry in /var/log/messages:
Aug 30 17:54:20 karres skeyinit: iverdahl: getting class information:
Permission denied
$ lock -np
lock: /dev/ttyp3 on karres.iverdahl.net. no timeout
time now is Wed Aug 30 17:55:53 2006
Key:
Subsequent attempts to enter my password fail, including for those
attempts I did type my password correctly.
Again a log entry on /var/log/messages (upon issuing the lock command):
Aug 30 17:55:53 karres lock: iverdahl: getting class information:
Permission denied
--
If you don't know where you're going, any road will get you there.
