andyr at wizzy.com
Thu Apr 6 08:31:26 BST 2006
On Wed, 05 Apr 2006, Jerry Haltom wrote:
> If you're using pam_unix to handle LDAP, you probably have a pretty
> badly secured configuration. Means you are exposing shadow passwords
> into each hosts NSS shadow table.
> Those passwords should never leave the LDAP server, and the only way to
> do that is to use pam_ldap or pam_krb5.
> On Wed, 2006-04-05 at 17:47 +0200, Andy Rabagliati wrote:
> > I do not think libpam-ldap is important - pam_unix has handled ldap for
> > a long time without help.
I am not sure what a "hosts NSS shadow table" is, but this is my setup :-
fresh server install (from edubuntu Flight 5)
aptitude install xubuntu # looks beautiful, thanks, guys!
aptitude install ldap-utils openssh-server
[ libldap installed for dependencies ]
I now enable universe repository.
aptitude install libnss-ldap
[ libpam-ldap nscd installed for dependencies ]
I have an account andyr in /etc/passwd. I configure ubuntu to look at
my LDAP server, where I have a user bill.
/etc/nsswitch.conf edited to have "files ldap" where it used to say "compat".
***no changes to anything in /etc/pam.d/*
bill can log in via ssh, warnings about a missing home directory.
Now, "# dpkg -r libpam-ldap" - and reboot.
% dpkg -l | grep ^i | grep ldap
ii ldap-utils 2.2.26-5ubuntu1 OpenLDAP utilities
ii libldap-2.2-7 2.2.26-5ubuntu1 OpenLDAP libraries
ii libldap2 2.1.30-12ubuntu3 OpenLDAP libraries
ii libnss-ldap 238-1.1ubuntu1 NSS module for using LDAP as a naming servic
"# grep bill /etc/*" returns nothing.
"# grep ldap /etc/security/*" returns nothing.
User bill can still log in. A debug trace on my ldap server
( /usr/sbin/slapd -d7 ) verifies that ldap is being consulted.
Where is my security snafu ?
More information about the ubuntu-devel