libnss_ldap

Jerry Haltom wasabi at larvalstage.net
Thu Apr 6 15:43:40 BST 2006 

Run:

getent passwd
getent shadow

NSS is responsible for retrieving a number of named "tables". They are
passwd, shadow, group, hosts, etc. Anything you see in /etc/nsswitch.
You can use getent to query one of those NSS tables.

pam_unix authenticates users by comparing the password entered to the
password in the passwd (or shadow) NSS tables. Normally, these NSS
tables are mapped to /etc/shadow or /etc/passwd, which are local on the
box., and shadow is only readable by root. Using NSS to map them to LDAP
queries is fine.

However, this means you are passing passwords or hashes over the LDAP
connection to the hosts, to make up their NSS tables. Any user can query
for one of these records, and get another users password.

If I'm wrong let me know, however.


On Thu, 2006-04-06 at 09:31 +0200, Andy Rabagliati wrote:
> On Wed, 05 Apr 2006, Jerry Haltom wrote:
> 
> > If you're using pam_unix to handle LDAP, you probably have a pretty
> > badly secured configuration. Means you are exposing shadow passwords
> > into each hosts NSS shadow table.
> > 
> > Those passwords should never leave the LDAP server, and the only way to
> > do that is to use pam_ldap or pam_krb5.
> > 
> > On Wed, 2006-04-05 at 17:47 +0200, Andy Rabagliati wrote:
> > > 
> > > I do not think libpam-ldap is important - pam_unix has handled ldap for
> > > a long time without help.
> 
> I am not sure what a "hosts NSS shadow table" is, but this is my setup :-
> 
> fresh server install (from edubuntu Flight 5)
> 
> aptitude install xubuntu		# looks beautiful, thanks, guys!
> 
> aptitude install ldap-utils openssh-server
> 	[ libldap installed for dependencies ]
> 
> I now enable universe repository.
> 
> aptitude install libnss-ldap
> 	[ libpam-ldap nscd installed for dependencies ]
> 
> I have an account andyr in /etc/passwd. I configure ubuntu to look at
> my LDAP server, where I have a user bill.
> 
> /etc/nsswitch.conf edited to have "files ldap" where it used to say "compat".
> ***no changes to anything in /etc/pam.d/*
> 
> bill can log in via ssh, warnings about a missing home directory.
> 
> Now, "# dpkg -r libpam-ldap" - and reboot.
> 
> %  dpkg -l | grep ^i | grep ldap
> ii  ldap-utils                             2.2.26-5ubuntu1                     OpenLDAP utilities
> ii  libldap-2.2-7                          2.2.26-5ubuntu1                     OpenLDAP libraries
> ii  libldap2                               2.1.30-12ubuntu3                    OpenLDAP libraries
> ii  libnss-ldap                            238-1.1ubuntu1                      NSS module for using LDAP as a naming servic
> 
> "# grep bill /etc/*" returns nothing.
> "# grep ldap /etc/security/*" returns nothing.
> 
> User bill can still log in. A debug trace on my ldap server
> ( /usr/sbin/slapd -d7 ) verifies that ldap is being consulted.
> 
> Where is my security snafu ?
> 
> Cheers,     Andy!
>

More information about the ubuntu-devel mailing list