pam-krb5.so

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

pam-krb5.so

Tom Parker-10
Good Morning

I am wondering if the account

     account  required  pam_krb5.so minimum_uid=1000

line is required at all in common-account if I am using LDAP for access
control.  it seems to be doing nothing on my systems and my login
behaviour does not change if this line is commented out.

What checks are being performed here that are needed?

     auth  sufficient   pam_krb5.so minimum_uid=1000

Thanks!

Tom
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: pam-krb5.so

Russ Allbery
Tom Parker <[hidden email]> writes:

> I am wondering if the account

>      account  required  pam_krb5.so minimum_uid=1000

> line is required at all in common-account if I am using LDAP for access
> control.  it seems to be doing nothing on my systems and my login
> behaviour does not change if this line is commented out.

All the checks that the pam_krb5 module does during the account group it
also does during the auth group, so indeed this check doesn't really do
much exciting for you (although it also doesn't hurt).  Note: this
statement only applies when using the default options.  If you set
defer_pwchange, you have to have an account group configured or you'll
have some security holes.

> What checks are being performed here that are needed?

>      auth  sufficient   pam_krb5.so minimum_uid=1000

This is what's authenticating your users, assuming you're using Kerberos
passwords.

--
Russ Allbery ([hidden email])             <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: pam-krb5.so

Brian Candler
In reply to this post by Tom Parker-10
On Thu, Jan 27, 2011 at 01:43:55AM -0500, Tom Parker wrote:
> I am wondering if the account
>
>     account  required  pam_krb5.so minimum_uid=1000
>
> line is required at all in common-account if I am using LDAP for
> access control.  it seems to be doing nothing on my systems and my
> login behaviour does not change if this line is commented out.

What do you mean by "LDAP for access control" - are you validating passwords
using an LDAP bind (pam_ldap)?  Or are you using LDAP for authorization
(nss_ldap)?  Or both?

As I understand it, pam_krb5 is basically a password checker; it uses the
password you supply to acquire a Kerberos ticket, and as a side-effect lets
you login if it was able to acquire one.  That's the "auth" functionality
anyway.  The "account" functionality is a bit more subtle.  According to the
manpage: http://linux.die.net/man/8/pam_krb5

"If the module did participate in authenticating the user, it will check for
an expired user password and verify the user's authorization using the
.k5login file of the user being authenticated, which is expected to be
accessible to the module."

That's something you're unlikely to use often, since in a regular login the
authentication identity and authorization identity are the same.

Regards,

Brian.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: pam-krb5.so

Russ Allbery
Brian Candler <[hidden email]> writes:

> As I understand it, pam_krb5 is basically a password checker; it uses
> the password you supply to acquire a Kerberos ticket, and as a
> side-effect lets you login if it was able to acquire one.  That's the
> "auth" functionality anyway.  The "account" functionality is a bit more
> subtle.  According to the manpage: http://linux.die.net/man/8/pam_krb5

> "If the module did participate in authenticating the user, it will check
> for an expired user password and verify the user's authorization using
> the .k5login file of the user being authenticated, which is expected to
> be accessible to the module."

It had better be doing this in the auth action as well, since otherwise
there are going to be vulnerabilities in practice.  The account group
isn't as consistently and properly used as it should be.

--
Russ Allbery ([hidden email])             <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos