From owner-freebsd-ports@FreeBSD.ORG Sun Aug 28 14:11:58 2005 Return-Path: X-Original-To: ports@freebsd.org Delivered-To: freebsd-ports@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D94E516A41F for ; Sun, 28 Aug 2005 14:11:58 +0000 (GMT) (envelope-from saurbier@math.uni-bielefeld.de) Received: from mail1.math.uni-bielefeld.de (mail1.math.uni-bielefeld.de [129.70.14.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4CF1C43D45 for ; Sun, 28 Aug 2005 14:11:57 +0000 (GMT) (envelope-from saurbier@math.uni-bielefeld.de) Received: from math.uni-bielefeld.de (fuji11.math.uni-bielefeld.de [129.70.15.131]) by mail1.math.uni-bielefeld.de (Postfix) with SMTP id B580D9582B; Sun, 28 Aug 2005 16:11:55 +0200 (CEST) Received: (nullmailer pid 31060 invoked by uid 4079); Sun, 28 Aug 2005 14:11:55 -0000 Date: Sun, 28 Aug 2005 16:11:55 +0200 From: Konstantin Saurbier To: Adam Pordzik Message-ID: <20050828141155.GA30926@math.uni-bielefeld.de> References: <20050826121256.GB19571@math.uni-bielefeld.de> <4310E78B.8000209@gmx.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="vOmOzSkFvhd7u8Ms" Content-Disposition: inline In-Reply-To: <4310E78B.8000209@gmx.de> X-GPG-Fingerprint: DB6A 4B8A 8AB3 6865 E60A 13AC 5A4B D04F 1E64FB2E User-Agent: Mutt/1.5.9i Cc: ports@freebsd.org Subject: Re: security/pam_ldap - update to version 1.8.0 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Aug 2005 14:11:59 -0000 --vOmOzSkFvhd7u8Ms Content-Type: multipart/mixed; boundary="XOIedfhf+7KOe/yw" Content-Disposition: inline --XOIedfhf+7KOe/yw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Adam Pordzik wrote on Sun Aug 28, 2005 um 12:22:03AM: > Konstantin Saurbier wrote: > >Hi, > > > >i wrote a patch for security/pam_ldap to fix this security issue: > > > >http://www.kb.cert.org/vuls/id/778916 > > > >Please test this patch an comment any problems or bugs. For me it worked= =20 > >well, but my access to different releases an architectures is limited to= =20 > >5.4-RELEASE and 6.0-BETA3 on i386. >=20 > This bug issues only enries of "passwordPolicy" Class, so it's > not very wicked. I know, but theres no reason not to fix the port :-) > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D > > Copy %%PREFIX%%/etc/ldap.conf.dist to %%PREFIX%%/etc/ldap.conf, then ed= it > >-%%PREFIX%%/etc/ldap.conf in order to use this module. Add a line simil= ar=20 > >to > >-the following to /etc/pam.conf on 4.X, or create an /etc/pam.d/ldap > >-on 5.X with a line similar to the following: >=20 > Good idea to correct this! >=20 > >+account sufficient pam_ldap.so=20 >=20 > Since pam_unix.so grants access to everybody in account stage, pam_ldap > should be made "required" here, if you want PAM more than just _saying_ > "Access denied for this host". Hence a line >=20 > account required pam_ldap.so ignore_unknown_user=20 > ignore_authinfo_unavail >=20 > works as expected. "ignore_authinfo_unavail" is needed not to lock out > local/other users when the ldap server cannot be connected. Good point. I fixed the patch, it's attached and can also be found at=20 http://www.math.uni-bielefeld.de/~saurbier/patches/pam_ldap.patch Regards, Konstantin ------------------------------------------------------ Konstantin Saurbier Computerlabor Mathematik U5-138 Universitaet Bielefeld Universitaetsstr. 25 33501 Bielefeld email: saurbier@math.uni-bielefeld.de ------------------------------------------------------ --XOIedfhf+7KOe/yw Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="pam_ldap.patch" Content-Transfer-Encoding: quoted-printable --- Makefile.orig Fri Aug 26 15:11:00 2005 +++ Makefile Fri Aug 26 14:34:44 2005 @@ -6,7 +6,7 @@ # =20 PORTNAME=3D pam_ldap -PORTVERSION=3D 1.7.8 +PORTVERSION=3D 1.8.0 CATEGORIES=3D security net MASTER_SITES=3D http://www.padl.com/download/ \ ftp://ftp.padl.com/pub/ --- distinfo.orig Fri Aug 26 15:12:21 2005 +++ distinfo Fri Aug 26 14:37:07 2005 @@ -1,2 +1,2 @@ -MD5 (pam_ldap-178.tar.gz) =3D 222186c498d24a7035e8a7494fc0797d -SIZE (pam_ldap-178.tar.gz) =3D 127074 +MD5 (pam_ldap-180.tar.gz) =3D 627f053fdffb8267ba73261394e0ecde +SIZE (pam_ldap-180.tar.gz) =3D 127337 --- files/patch-aa.orig Fri Aug 26 15:11:31 2005 +++ files/patch-aa Fri Aug 26 15:07:45 2005 @@ -1,6 +1,6 @@ ---- Makefile.in.orig Sun Jun 26 13:33:47 2005 -+++ Makefile.in Sun Jun 26 13:35:09 2005 -@@ -434,19 +434,15 @@ +--- Makefile.in.orig Fri Aug 26 14:56:39 2005 ++++ Makefile.in Fri Aug 26 15:07:13 2005 +@@ -434,17 +434,13 @@ =20 install-exec-local: pam_ldap.so @$(NORMAL_INSTALL) @@ -17,10 +17,7 @@ + @if test ! -f $(DESTDIR)$(sysconfdir)/ldap.conf.dist; then \ $(mkinstalldirs) $(DESTDIR)$(sysconfdir); \ - $(INSTALL_DATA) -o root -g root $(srcdir)/ldap.conf $(DESTDIR)$(sysconf= dir)/ldap.conf; \ -+ $(INSTALL_DATA) -o root -g wheel $(srcdir)/ldap.conf $(DESTDIR)$(sysconf= dir)/ldap.conf.dist; \ ++ $(INSTALL_DATA) -o root -g wheel $(srcdir)/ldap.conf $(DESTDIR)$(syscon= fdir)/ldap.conf.dist; \ fi -- $(INSTALL_DATA) -o root -g root $(srcdir)/pam_ldap.5 $(DESTDIR)$(mandir)= /man5/pam_ldap.5 -+ $(INSTALL_DATA) -o root -g wheel $(srcdir)/pam_ldap.5 $(DESTDIR)$(mandir= )/man5/pam_ldap.5 =20 uninstall-local: - @$(NORMAL_UNINSTALL) --- pkg-message.orig Fri Aug 26 15:26:45 2005 +++ pkg-message Fri Aug 26 15:47:47 2005 @@ -1,8 +1,15 @@ =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D Copy %%PREFIX%%/etc/ldap.conf.dist to %%PREFIX%%/etc/ldap.conf, then edit -%%PREFIX%%/etc/ldap.conf in order to use this module. Add a line similar = to -the following to /etc/pam.conf on 4.X, or create an /etc/pam.d/ldap -on 5.X with a line similar to the following: +%%PREFIX%%/etc/ldap.conf in order to use this module. +Add a line similar to the following to /etc/pam.conf on 4.X: =20 login auth sufficient %%PREFIX%%/lib/pam_ldap.so + + +On 5.X insert the following on the appropiate lines in /etc/pam.d/system or +/etc/pam.d/: + +auth sufficient pam_ldap.so no_warn try_first_pass +account required pam_ldap.so ignore_unknown_user ignore_authinfo_unavail +session optional pam_ldap.so =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D --XOIedfhf+7KOe/yw-- --vOmOzSkFvhd7u8Ms Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDEcYrWkvQTx5k+y4RAgWoAJ0bKgUynmP+Fb3aPi2RrlnUzD2oRwCgjFHP 13uzDPfW2nZmnUXg7Ss59Bw= =tarC -----END PGP SIGNATURE----- --vOmOzSkFvhd7u8Ms--