[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
Russ Allbery
rra at debian.org
Wed Apr 27 02:01:22 UTC 2016
In order to take the path of moving this setting to a krb5.conf snippet
that's included by the default krb5.conf, at the very least it needs to
work with both Heimdal and MIT. I don't think Heimdal supports
including krb5.conf snippets, which means we can't use the include
functionality in kerberos-configs.
The upgrade path for this is going to be awful no matter what. :(
I don't think it's acceptable from a security standpoint for minimum_uid
to be turned off by an upgrade without an affirmative response from the
user (not any sort of default), and we can't use any sort of krb5-config
dependency to ensure that a Kerberos configuration fragment is available
(even if Heimdal supports it) because krb5-config intentionally doesn't
mess with a user-supplied krb5.conf file. So we'd have to do something
really fancy here that preserves the minimum_uid setting for all old
installations unless the admin intentionally removes it, and I'm not
entirely sure how to do that. All the approaches I can think of have
obvious ways in which the setting is lost.
Some sort of user override on the default pam-auth-update configuration
would be ideal, but I can understand that not being a priority.
I would love to find a way to fix this, but we really *cannot* have an
upgrade turn off minimum_uid without user intervention. I think a
package that would do that would deserve a CVE due to the security
vulnerabilities that can introduce, since the local admin may be relying
on that setting for local security.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libpam-krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/369575
Title:
Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
Status in kerberos-configs package in Ubuntu:
Triaged
Status in libpam-krb5 package in Ubuntu:
Invalid
Bug description:
Binary package hint: libpam-krb5
I'm looking at libpam-krb5 version 3.13-2ubuntu1, in Jaunty.
The pam-auth-update profile file /usr/share/pam-configs/krb5 has
invocations of pam_krb5.so with the hardcoded option minimum_uid=1000.
Presumably, this is to exclude system users (uid < 1000) from Kerberos
authentication.
The problem is that some installations may have the convention of a
higher minimum UID for Kerberos users, and their options are limited
to either modifying the number in the profile file (a no-no given that
the file lives in /usr and not /etc), or bypassing the krb5 profile
altogether (either with a custom profile, or direct edits to
/etc/pam.d/*).
To make all this concrete: I have a setup where Kerberos users have
UIDs >= 20000. I specify this right in /etc/krb5.conf, under the
[appdefaults] section (see the pam_krb5 man page for details on how to
do this). Users with 1000 >= UID > 20000 are assumed to be local [but
otherwise normal] users, existing only on the local system. The
problem is that (1) my minimum_uid option in krb5.conf is being
overridden by the hardcoded options in .../pam-configs/krb5, and (2)
when I create a local user with adduser(8), and try to set/change its
password, I get prompted for "Current Kerberos password:" even though
no such entity exists in my Kerberos database!
(FYI: In Intrepid, I was using a custom pam-auth-update profile
similar to the new krb5 one, but without the minimum_uid= options. I
had considered it preferable to specify this once in krb5.conf than
multiple times in this file.)
I think that the minimum_uid= options should be removed from the krb5
profile, and the equivalent option added to krb5.conf, where the
specific UID number can be modified administratively. The current
approach is not flexible for installations making broad use of
Kerberos.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kerberos-configs/+bug/369575/+subscriptions
More information about the foundations-bugs
mailing list