[Bug 962560] [NEW] pam-auth-update Account-Type should be "Additional"
Ray Link
rlink+launchpad at cs.cmu.edu
Thu Mar 22 21:30:29 UTC 2012
Public bug reported:
Currently, libpam-ldap provides a pam-auth-update stub that inserts
pam_ldap into the authorization stack as Account-Type: Primary.
Unfortunately, this means that, should pam_unix (also Account-Type:
Primary) succeed, pam_ldap will never be checked. It also means that
anything wishing to conflict with pam_ldap by providing a stub with
"Conflicts: ldap" and a properly-behaving "Account-Type: Additional"
will not actually end up conflicting with the misplaced pam_ldap.
In general, while the "Auth" stack is permissive (once one succeeds, the
user has proven their identity, there's no sense in running additional
authentication checks, so you skip checking the rest and just let the
user through) and are thus perfectly suited to be Auth-Type: Primary,
the "Account" (authorization) stack is essentially a gauntlet of
potential denials, meaning every single PAM module should be run
(Account-Type: Additional) to check for an authorization failure, even
if others have already succeeded.
See Debian bugs #583483, #583492, and especially response #20 to Debian
bug #610888.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583483
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583492
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610888#20
** Affects: libpam-ldap (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libpam-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/962560
Title:
pam-auth-update Account-Type should be "Additional"
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libpam-ldap/+bug/962560/+subscriptions
More information about the Ubuntu-server-bugs
mailing list