On Sun, 2010-11-21 at 22:35 +0100, Vincent Danjean wrote:
> I added "debug" for pam_ldap.so into the 5 common-* files in /etc/pam.d
> Then, I started "nslcd -d"
> And then I type "sudo su"
> 
> Here what I get in /var/log/auth.log:
> [after the first wrong password]
> Nov 21 22:11:30 aya sudo: pam_unix(sudo:auth): authentication failure; 
> logname=vdanjean uid=0 euid=0 tty=/dev/pts/7 ruser=vdanjean rhost=  
> user=vdanjean
> Nov 21 22:11:30 aya sudo: pam_ldap(sudo:auth): nslcd authentication; 
> user=vdanjean
> Nov 21 22:11:30 aya sudo: pam_ldap(sudo:auth): Échec d'authentification; 
> user=vdanjean
> [after the second correct password]
> Nov 21 22:11:42 aya sudo: pam_ldap(sudo:account): nslcd authorisation; 
> user=vdanjean
> Nov 21 22:11:42 aya sudo: pam_ldap(sudo:account): ; user=vdanjean
> Nov 21 22:11:42 aya sudo: vdanjean : pam_acct_mgmt: 7 ; TTY=pts/7 ; 
> PWD=/home/vdanjean ; USER=root ; COMMAND=/bin/su
> [after the third correct password]
> Nov 21 22:11:49 aya sudo: pam_ldap(sudo:account): nslcd authorisation; 
> user=vdanjean
> Nov 21 22:11:49 aya sudo: pam_ldap(sudo:account): ; user=vdanjean
> Nov 21 22:11:49 aya sudo: vdanjean : pam_acct_mgmt: 7 ; TTY=pts/7 ; 
> PWD=/home/vdanjean ; USER=root ; COMMAND=/bin/su
> Nov 21 22:11:49 aya sudo: vdanjean : 3 incorrect password attempts ; 
> TTY=pts/7 ; PWD=/home/vdanjean ; USER=root ; COMMAND=/bin/su

It seems that the PAM stack does not retry the pam_ldap authentication
(sudo:auth) check and only does authorisation (sudo:account) checks.

> And, "nslcd -d" output:
[...]

This again only shows authentication (nslcd_pam_authc) requests for the
first entered password and authorisation (nslcd_pam_authz) check later
on.

> My remark was due to the fact that /var/log/auth.log talk about
> sudo:auth after the first password and sudo:account after the second
> and third one. But this is probably due to the fact that the first
> password is wrong whereas the second and third are correct. [and
> indeed, this is the case: I tried with a wrong password the three
> times and /var/log/auth.log talks about sudo:auth three times]

This gave me an idea. What probably happens is that pam_unix is doing
the authentication in the second and third tries (always as it
succeeds). You probably expose password hashes through the shadow map
(getent shadow as root shows password hashes for LDAP users).

Like I described earlier, the authentication phase retrieves some
authorisation information from the LDAP server. That saved authorisation
information is used when doing authorisation. Since only pam_ldap's
authentication check is done for incorrect passwords, this ensures that
the cached authorisation value is always an error.

There is not an easy solution for this within nss-pam-ldapd since it has
no way of knowing whether the cached authorisation error is from a new
attempt or not. The nslcd daemon could return an authorisation success
alongside the authentication failure but that could also have other
consequences.

The easiest workaround is to not expose password hashes through NSS.
From your logs your LDAP server returns the hashes even without
authentication. Your LDAP server should have an ACL like this:

access to attrs=userPassword
  by anonymous auth
  by self write
  by * none

Failing that you can put this in nslcd.conf to avoid exposing password
hashes through nslcd:

map passwd userPassword "x"
map shadow userPassword "*"

(I'm thinking about making this the default in later releases of
nss-pam-ldapd)

Hope this is a usable workaround for you.

-- 
-- arthur - [email protected] - http://people.debian.org/~adejong --

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to