[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?

Russ Allbery rra at debian.org
Fri Apr 2 01:31:50 BST 2010


"Daniel Richard G." <skunk at iskunk.org> writes:

> Thought about the upgrade process a bit. How about this:

> 1. kerberos-configs starts generating new krb5.conf files with
> minimum_uid=1000. Then a little later...

> 2. libpam-krb5 has minimum_uid removed from pam-configs/krb5. On
> upgrade, it checks to see if this is in krb5.conf. If yes, great. If no,
> then copy pam-configs/krb5 to e.g. krb5_old, have pam-auth-update use
> that instead of the new krb5 profile, and show a warning to the user.
> The user can dismiss the warning, and nothing changes for him/her.
> krb5_old sticks around as a conffile (removed if package is purged, but
> otherwise remains untouched by future upgrades), and the regular krb5
> profile doesn't have to be hobbled by backward-compatibility measures.

The input files to pam-auth-update aren't configuration files, so this
would need to change somewhat, but I think I can see how to do something
like this.  Basically, libpam-krb5 would ship two different krb5 PAM
profiles and select between them based on whether or not krb5.conf had a
minimum_uid setting.

However, so far as I can tell, there's no way to do this right now in the
existing pam-auth-update system.  The package doesn't tell pam-auth-update
which profile to add.  It just configures all of them.  So the user would
keep having to select between krb5 and krb5-old (or whatever) without
knowing which one too chose, and they'd conflict with each other which
would make everything more complicated.

Steve, if you're still following this bug report, do you have any feelings
about how we should handle this?  My primary concern is ending up with
only ignore_root and not minimum_uid and hence opening a possible security
vulnerability wherein one could authenticate as a Kerberos principal named
daemon, etc., and log on to a system account.

Fixing Debian Bug#330882 (and in general not creating real shells for
system users) would remove a lot of my concern.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>

-- 
Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
https://bugs.launchpad.net/bugs/369575
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to kerberos-configs in ubuntu.



More information about the Ubuntu-server-bugs mailing list