From owner-freebsd-current@FreeBSD.ORG  Thu May 22 15:48:52 2003
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3543F37B401
	for <freebsd-current@freebsd.org>;
	Thu, 22 May 2003 15:48:52 -0700 (PDT)
Received: from ns2.gnf.org (ns2.gnf.org [63.196.132.68])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3FF7E43F93
	for <freebsd-current@freebsd.org>;
	Thu, 22 May 2003 15:48:51 -0700 (PDT)	(envelope-from gtetlow@gnf.org)
Received: from EXCHCLUSTER01.lj.gnf.org (exch01.lj.gnf.org [172.25.10.19])
	by ns2.gnf.org (8.12.8p1/8.12.8) with ESMTP id h4MMmlRo003396
	for <freebsd-current@freebsd.org>;
	Thu, 22 May 2003 15:48:47 -0700 (PDT)	(envelope-from gtetlow@gnf.org)
Received: from roark.gnf.org ([172.25.24.15]) by EXCHCLUSTER01.lj.gnf.org with
	Microsoft SMTPSVC(5.0.2195.5329);	 Thu, 22 May 2003 15:48:50 -0700
Received: from roark.gnf.org (localhost [127.0.0.1])
	by roark.gnf.org (8.12.9/8.12.9) with ESMTP id h4MMmojX093092;
	Thu, 22 May 2003 15:48:50 -0700 (PDT)
	(envelope-from gtetlow@gnf.org)
Received: (from gtetlow@localhost)
	by roark.gnf.org (8.12.9/8.12.9/Submit) id h4MMmoxP093091;
	Thu, 22 May 2003 15:48:50 -0700 (PDT)
	(envelope-from gtetlow)
Date: Thu, 22 May 2003 15:48:50 -0700
From: Gordon Tetlow <gordont@gnf.org>
To: Dag-Erling Smorgrav <des@ofug.org>
Message-ID: <20030522224850.GK87863@roark.gnf.org>
References: <20030522184631.A23366@bart.esiee.fr>
	<xzp65o2zkhf.fsf@flood.ping.uio.no>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="jB+02Y6wHc2pEa2x"
Content-Disposition: inline
In-Reply-To: <xzp65o2zkhf.fsf@flood.ping.uio.no>
User-Agent: Mutt/1.4i
X-Habeas-SWE-1: winter into spring
X-Habeas-SWE-2: brightly anticipated
X-Habeas-SWE-3: like Habeas SWE (tm)
X-Habeas-SWE-4: Copyright 2002 Habeas (tm)
X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this
X-Habeas-SWE-6: email in exchange for a license for this Habeas
X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this
X-Habeas-SWE-9: mark in spam to <http://www.habeas.com/report/>.
X-OriginalArrivalTime: 22 May 2003 22:48:50.0857 (UTC)
	FILETIME=[50383990:01C320B4]
cc: freebsd-current@freebsd.org
cc: Frank Bonnet <bonnetf@bart.esiee.fr>
Subject: Re: 5.1 beta2 still in trouble with pam_ldap
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 22 May 2003 22:48:52 -0000


--jB+02Y6wHc2pEa2x
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, May 23, 2003 at 12:26:20AM +0200, Dag-Erling Smorgrav wrote:
> Frank Bonnet <bonnetf@bart.esiee.fr> writes:
> > if in any file of the pam.d directory I replace
> > the original line :
> >
> > auth           required        pam_unix.so             no_warn try_firs=
t_pass nullok
> >
> > by the following=20
> >
> > auth            sufficient      /usr/local/lib/pam_ldap.so
> >
> > for example in the /etc/pam.d/su file I can perform the "su -"
> > command WITHOUT TYPING ANY PASSWORD from a normal user login.
>=20
> If pam_ldap is the last line, it should be "required", not
> "sufficient"; alternatively it should be followed by pam_deny.  This
> is (imperfectly) documented in /etc/pam.d/README:
>=20
>  Note that having a "sufficient" module as the last entry for a
>  particular service and module type may result in surprising behaviour.
>  To get the intended semantics, add a "required" entry listing the
>  pam_deny module at the end of the chain.

Do you think it might be a good idea to turn all the pam configuration
files to list actual providers at sufficient followed by a pam_deny:

auth	sufficient	pam_krb5.so
auth	sufficient	pam_ldap.so
auth	sufficient	pam_unix.so
auth	required	pam_deny.so

This makes it very explicit as to what's going on and makes it so the
last entry isn't different merely because it's last.

> Solaris introduced the "binding" flag to try to alleviate this
> problem.  OpenPAM supports "binding", but does not document it
> anywhere.

I'm unfamiliar with this option. What's it do?

-gordon

--jB+02Y6wHc2pEa2x
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE+zVPSRu2t9DV9ZfsRAiEXAJ9G4Lw/N22XAK4sATBt0fXOy+8NTwCeKu6X
8zqWrdT+ox/tzegEZg//Pjs=
=O0KT
-----END PGP SIGNATURE-----

--jB+02Y6wHc2pEa2x--