[Bug 64301] Re: Unable to unlock screen when using ldap
Sorry for the confusion. We need to distinguish three files: - the CA certificate (world-readable) is used to verify the identity of the server to the client - the client certificate (world-readable) is used to verify the identity of the client to the server - the private key (readable to root and nslcd only) is also needed to verify the identity of the client to the server as well as encrypting the communication As long as it is just the CA and client certificates that are world- readable there is no problem at all. I'm just talking about the private key file. I assumed that you were referring to the private key as well as I don't see how it could work otherwise without using the nslcd daemon. If the key is not world-readable, there is no problem at all. -- Unable to unlock screen when using ldap https://bugs.launchpad.net/bugs/64301 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-screensaver in ubuntu. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 64301] Re: Unable to unlock screen when using ldap
The point is that the certificate key should *never* be world readable for security reasons. Otherwise you might as well not use encryption at all as any user on your system can access it. That's the whole reason for the nscl/nslcd concept. Better use the solution I posted above. Some explanations for those who are interested (they might not be accurate as I'm not aware of how things are implemented, but they make sense to me): The PAM modules are configured as dynamically linkable libraries. Since your gnome-screensaver runs with your own user rights, all libraries linked into it run with user rights as well. So when gnome-screensaver tries to connect to the LDAP server via PAM it cannot read the certificate key and fails to connect resulting in a rejected password. One solution would be to allow all users to read the key, but that's a giant security hole as mentioned above. Another solution would be to set the SUID bit of the gneome-screensaver dialog so it runs with root rights no matter which user started it (doesn't work anymore for some time, my guess is that the program checks if it runs with root rights and fails to prevent users gaining root rights using buffer overflows or other bugs in the program). This worked for the KDE screensaver though. That's the reason why the nscd was so important with the old systems. Instead of invoking the PAM modules directly most programs would do authentication via nscd which runs as root and thus can connect to the LDAP server. However, gnome-screensaver never did :( The new packages introduce nslcd which does not need to be addressed by gnome-screensaver as the PAM modules communicate with it automatically. It also doesn't run with root rights unless explicitly set (which is not necessary), but sufficient rights to read the key file. Therfore it allows to keep the certificate key closed without the risk of someone abusing it to gain root rights. -- Unable to unlock screen when using ldap https://bugs.launchpad.net/bugs/64301 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-screensaver in ubuntu. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 64301] Re: Unable to unlock screen when using ldap
SOLVED in Ubuntu Lucid: use 'libnss-ldapd' and 'libpam-ldapd' (note the 'd' at the end of the packages) together with with the 'nslcd' package (note the 'l' in the middle) This allows to set the user and group with which the 'nslcd' daemon runs in '/etc/nslcd.conf'. I set the group from 'nslcd' to 'ssl-cert' and made sure that the key file can be read for that group. my '/etc/nslcd.conf' reads as follows: # /etc/nslcd.conf # nslcd configuration file. See nslcd.conf(5) # for details. # The user and group nslcd should run as. uid nslcd gid ssl-cert # The location at which the LDAP server(s) should be reachable. uri ldap:// # The search base that will be used for all queries. base # The LDAP protocol version to use. ldap_version 3 # SSL options ssl start_tls tls_reqcert demand tls_cacertfile /etc/ssl/certs/ca-local.cert.pem tls_cert /etc/ssl/certs/client.cert.pem tls_key /etc/ssl/private/client.key.pem -- Unable to unlock screen when using ldap https://bugs.launchpad.net/bugs/64301 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-screensaver in ubuntu. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 64301] Re: Unable to unlock screen when using ldap
The problem with the two password requests can be solved by adding 'use_first_pass' to the line with pam_unix.so, such that it looks like authsufficient pam_ldap.so authrequiredpam_unix.so nullok_secure use_first_pass However, this does not solve the problem when the LDAP connection is encrypted and the certificate can only be read by root. Also in Hardy gnome-screensaver does not seem to communicate with the NSCD, but tries to call the LDAP server directly. I still don't get why the workaround setting gnome-screensaver-dialog SUID doesn't work anymore. In that case pam_ldap should run with root rights. Has anyone more insight on the authentication mechanism? Maybe gnome-screensaver-dialog calls another program to do the actual verification in newer versions... -- Unable to unlock screen when using ldap https://bugs.launchpad.net/bugs/64301 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is the registrant for gnome-screensaver. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 64301] Re: Unable to unlock screen when using ldap
The problem can also be due to encrypted connections to the LDAP server since the private key must be readable by root only. In older versions of ubuntu (at least Dapper Drake) the following commands fixed the problem: chmod +s /usr/lib/gnome-screensaver/gnome-screensaver-dialog chmod +s /usr/bin/kcheckpass But due to the SUID/SGID bits possible security holes are opened. Under Feisty Fawn even this does not work anymore! A connection of the screensavers to the LDAP server over nscd would (as suggested above) should be the best solution. -- Unable to unlock screen when using ldap https://bugs.launchpad.net/bugs/64301 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is the registrant for gnome-screensaver. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
