On Wednesday 12 October 2005 07:02pm, Bernardo Innocenti wrote: > Tomas Mraz wrote: [SNIP] > >> Also, you can login as root with root's password from ldap > >> even tough there's a valid root entry in /etc/passwd. > > > > That's expected as both pam_ldap and pam_unix are sufficient entries. > > If you want to prevent that you can insert pam_succeed_if > > Sorry, I don't quite understand how to set it up to reject uid == 0 > just for pam_ldap and not for pam_unix. The correct solution is simply this: DO NOT add root (uid == 0) authentication credentials in your central authentication stores. If you already have root credentials in there, GET THEM OUT OF THERE. root should only be able to authenticate locally on every single box. The security danger of not following this policy can be quite high. That said, it still might not be a bad idea to implement the extra config line that Tomas Mraz suggested, earlier...as an extra protection measure. The disadvantage of adding it is that you will have to do so on all systems you want to have connected to your central authentication store (LDAP, Kerberos, whatever). Perhaps it should be added to the default PAM configuration for FC5. I would vote for that. > I also don't understand what the "uid < 100" condition inserted > by system-config-auth is for. There are only two kinds of accounts as far as the kernel is concerned; root and everyone else. We humans think of it in terms of three kinds of accounts; "root" (superuser), "system" (not-superuser and no human being associated, typically, 0 < system account uid < 100) and "regular-user" (human being). Typically, one should not be able to login to "system" accounts. Occasionally, it is necessary to run a bunch of shell commands/scripts as a system account (installing some DB engines comes to mind), in which case root can "su - system-account" to do so. SELinux also helps with this "issue". [SNIP] > > This is a problem as the passphrases for ssh keys can be different from > > the user's system password. So the pam_ssh is definitely not a > > replacement for ssh-agent. > > Yes, we would need half of what pam_ssh does: instead of authenticating > the user against his ssh key, it should just load the key iff the > passphrase happens to match the account password. > > Maybe this other project would be more appropriate: > > http://sourceforge.net/projects/pam-ssh-agent/ > > PAM module that spawns a ssh-agent and adds identities using the > password supplied at login. I like this. It would be nice if FC5 would ship pam-ssh-agent. I'll vote for it :). -- Lamont R. Peterson <lamont@xxxxxxxxxxxx> Senior Instructor Guru Labs, L.C. [ http://www.GuruLabs.com/ ]
Attachment:
pgpbgf6ZR60li.pgp
Description: PGP signature
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
