--b5gNqxB1S1yM7hjW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, May 13, 2002 at 09:39:43AM +1000, Martin Schwenke wrote: > Martin> The reason I want to do this is that I don't want pam_ldap > Martin> to be used at all when my locally defined users are > Martin> logging in. I see this as a sensible policy that promotes > Martin> reliabily. For example, I will always be able to login as > Martin> root, without delay, even if my network is down, pam_ldap > Martin> is broken or, worse still, if there's a bug in libdap* > Martin> that causes a SIGSEGV. I don't want to run code that is > Martin> irrelevant to my locally defined users, particularly root. > I suspect that no matter what the timeouts are set to, a serious bug > in libldap* will mean that they won't be honoured at all... :-( > Hmmm, I suppose login probably crashes very quickly... :-) > In a previous reply to Sam I commented that we're getting close to a > solution. Given pam_unix's reliance on NSS (and therefore, in my > case, on LDAP) for (building the group list for) locally defined > users, I no longer think this is true. pam_unix is too general to be > useful for being able to reliably login as my locally defined users, > particularly root. > If I implement a local_only option on pam_unix might it be accepted > into pam_unix? Please? Andrew? If an NSS module your system depends on is so badly messed up that you can't reliably call getpwnam() and getgroups() for a local account, you will have significant difficulties logging in *regardless* of what PAM module you're using: a local_only option for pam_unix would only add unnecessary complexity to the module. FWIW, I've never had trouble logging in as root on LDAP-aware systems when the network (or LDAP server) is down. This is using 'passwd: files ld= ap' in nsswitch.conf. It may be that this would not work very well if there were a segfault-inducing bug in a library that nss_ldap depends on, but bugs in any code loaded by libc are /always/ serious problems. Adding options to PAM modules won't change that. If what you're really after is making sure pam_unix is not used for authenticating LDAP-based accounts when the server /is/ available, then between nss_ldap and the LDAP server you already have all the access controls you need to make sure password hashes are never sent in the clear across the network.=20 Steve Langasek postmodern programmer --b5gNqxB1S1yM7hjW Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE83wKXKN6ufymYLloRApmZAJ9AQKV8rM6g7UQwm6f8d9Pud82GIwCgjSPg g0AWPvdtHAMA/qMKMOR2kMs= =jQw3 -----END PGP SIGNATURE----- --b5gNqxB1S1yM7hjW--
