Public bug reported:
This issue is the result of interplay of a few different packages. My
feeling is this is probably the best place to fix it, so I'm reporting
it here.
Take a standard ubuntu 11.04 or 11.10, install ssh and ldap, along with
libpam-ldap.
In /etc/ssh/sshd_config there's a setting LoginGraceTime which defaults
to 120. This is the length of time in seconds that sshd gives a login to
successfully complete the connection-starting handshake before killing
the process.
In /etc/ldap.conf there's two settings:
bind_timeout - defaults to 30
bind_policy - defaults to hard, which means the ldap client will do an
exponential backoff when it's unable to connect to the ldap server .
In the result is that with an ldap server that is down, with these
defaults the ldap client will try (unsuccessfully) to make a connection
for around 240 seconds.
But, sshd kills the process after 120 seconds. Backup means of
authentication _are not tried_. If there's a way to get around this
lockout, I'm not aware of it.
I'd suggest changing the default bind_timeout to 5 or10 seconds... this
seems plenty long and then in a default install of all of these packages
wouldn't result in a dangerous default configuration.
Thanks.
** Affects: ldap-auth-client (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/897553
Title:
default config under ssh allows for easy machine lockout
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ldap-auth-client/+bug/897553/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
