> I'm not very clear what you mean by "accept connection from a user >> with uid&gid = 0". You'd have to do something on purpose > to lock root (uid=0) out of the system. Let me explain more ! On my systems, all root account are local (as all the default installation of every distrib do - infos are stored in /etc/passwd, /etc/shadows, and in /etc/groups.) For my company i setup a ldap directory to have a centralized administrations for the accounts. I'm able to connect on every workstation without any unprivileged user and home folder, default shell, groups or any user extended properties are read without any problem. Now the next step is to have a centralized root account. I create it in the directory, like a standard user but with the special uid & gid attribute set to 0. And as i wrote before on this list, this user is i unable to connect to any fedora station while the pam config is not changed (see my precedent post). The purpose of this mail, is to speak about the potentially security weakness of this setup -specially the modification of PAM- and what can be the effect of such modification. Maybe this is not the right ML to post and if you think so, i'll search elsewhere for my answer :-D > I'll try to share my limited understanding of PAM. > "auth" merely establishes the user identity -is he who he claims to be? Ok with that > The line > "auth requisite pam_succeed_if.so uid >= 500 quiet" > is not to permit login, but rather to establish a user's > identity; to be precise, a user whose id is not that of a > system account. And if it's fail as pam man said (http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-file.html) the status is set to failed if any other module failed, or control is return to application... > based on the line > "auth required pam_deny.so" > The users whose IDs are listed in this block can be denied > accesss (pam_deny.so) if their identity is not properly confirmed. Ok, so base on the previous item and the pam manual :) If the pam_succeed_if failed because my user use an uid < 500 so the pam_deny module will issue a failure and block the auth phase. > Later, these lines > "account sufficient pam_succeed_if.so uid < 500 quiet > account required pam_permit.so" > translate into "are you root or a system account? no > problem! go right ahead!"; otherwise, some checks will run to > further qualify the incoming user. You are a system account (uid lower than 500) then account is permit to login. But what is the purpose of " account required pam_permit.so" ? it always permit login no ? Thanks for your time ! :) -- Guillaume -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
