*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Marc Deslauriers (mdeslaur):
I've been working on getting a small lab up and running on Ubuntu 10.10 using LDAP authentication. I'm using the stock versions found in the repos (e.g. nslcd v.0.7.6) an I've run in to an interesting problem: ldap users can get a session on the machine without a password. That is, if a user exists in LDAP they can log in to the machine by hitting the return key when asked for a password; this does not work for local users, nor can you make up an ID and expect it to work. BTW, if you give it a wrong password, you can't get a session (as in you get an "LDAP authentication failed" message). What I expected to happen: try to log in to a machine using LDAP authentication and get stopped when I provide bad credentials (e.g. good username, bad - or no - password). What happened: on a lightly configured machine I can log in using a good username from LDAP and *no* password. Security implications: if "user A" tries to log in with LDAP id "user B", "user A" can access all of the data stored on the local machine by "user B" - and they don't need a password to do it. I can reliably replicate this problem (and have done at least 10 times in a VM): 1) apt-get install nslcd (libpam-ldapd, libnss-ldapd and nscd are dependencies, so they get installed as well) 2) during configuration, provide debconf with basic info about our LDAP setup (in my case connect to a SunLDAP server). 3) add config info to nslcd.conf to allow connections (in my case it needs a specific certificate, so I add tls_cacertfile /path/to/dot-pem-file) The nsswitch.conf and nscd.conf files don't need to be edited at all, and the debconf configuration done by Ubuntu seems to be good enough to allow connections. At this point I restart the machine and try to log in as an LDAP user. When asked for a password I hit [enter] and I get a session. This user has never used the machine before and is not a duplicate of a local username. The uid of the LDAP user is correct (that is, the uid is passed to the local machine by the LDAP server and is not locally assigned.) As the LDAP user, I can su to any other LDAP ID without a password (just hit [enter] when asked for a password). I *cannot* su to a local user. I've been in touch with the nslcd developer via the nss-pam-ldapd-users list (thread here: http://lists.arthurdejong.org/nss-pam-ldapd- users/2011/msg00026.html - includes debug info). His response suggests that newer versions of nslcd address this kind of problem directly (see thread), so I tried installing the 11.04 packages (v0.7.13) in my 10.10 test box, and I no longer have the problem. It *appears* that newer releases (likely 0.7.7+) fix my problem. Is there any way to address this problem in Maverick? ** Affects: nss-pam-ldapd (Ubuntu) Importance: Undecided Status: New -- LDAP session created with no password required https://bugs.launchpad.net/bugs/720401 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
