Date: Thu, 22 May 2003 15:48:50 -0700 From: Gordon Tetlow <gordont@gnf.org> To: Dag-Erling Smorgrav <des@ofug.org> Cc: Frank Bonnet <bonnetf@bart.esiee.fr> Subject: Re: 5.1 beta2 still in trouble with pam_ldap Message-ID: <20030522224850.GK87863@roark.gnf.org> In-Reply-To: <xzp65o2zkhf.fsf@flood.ping.uio.no> References: <20030522184631.A23366@bart.esiee.fr> <xzp65o2zkhf.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
--jB+02Y6wHc2pEa2x Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, May 23, 2003 at 12:26:20AM +0200, Dag-Erling Smorgrav wrote: > Frank Bonnet <bonnetf@bart.esiee.fr> writes: > > if in any file of the pam.d directory I replace > > the original line : > > > > auth required pam_unix.so no_warn try_firs= t_pass nullok > > > > by the following=20 > > > > auth sufficient /usr/local/lib/pam_ldap.so > > > > for example in the /etc/pam.d/su file I can perform the "su -" > > command WITHOUT TYPING ANY PASSWORD from a normal user login. >=20 > If pam_ldap is the last line, it should be "required", not > "sufficient"; alternatively it should be followed by pam_deny. This > is (imperfectly) documented in /etc/pam.d/README: >=20 > Note that having a "sufficient" module as the last entry for a > particular service and module type may result in surprising behaviour. > To get the intended semantics, add a "required" entry listing the > pam_deny module at the end of the chain. Do you think it might be a good idea to turn all the pam configuration files to list actual providers at sufficient followed by a pam_deny: auth sufficient pam_krb5.so auth sufficient pam_ldap.so auth sufficient pam_unix.so auth required pam_deny.so This makes it very explicit as to what's going on and makes it so the last entry isn't different merely because it's last. > Solaris introduced the "binding" flag to try to alleviate this > problem. OpenPAM supports "binding", but does not document it > anywhere. I'm unfamiliar with this option. What's it do? -gordon --jB+02Y6wHc2pEa2x Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+zVPSRu2t9DV9ZfsRAiEXAJ9G4Lw/N22XAK4sATBt0fXOy+8NTwCeKu6X 8zqWrdT+ox/tzegEZg//Pjs= =O0KT -----END PGP SIGNATURE----- --jB+02Y6wHc2pEa2x--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030522224850.GK87863>