[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
Daniel Richard G.
skunk at iskunk.org
Wed Apr 27 02:42:35 UTC 2016
> I don't think Heimdal supports including krb5.conf snippets, which
means we can't use the include functionality in kerberos-configs.
And even if it did, it would still be awkward (you have to add the
#include at any rate). It needs to be a standard expectation these days
that configs in /etc support a foobaz.d directory convention, so all you
have to do is drop in a file.
> I don't think it's acceptable from a security standpoint for
minimum_uid to be turned off by an upgrade without an affirmative
response from the user (not any sort of default), and we can't use any
sort of krb5-config dependency to ensure that a Kerberos configuration
fragment is available (even if Heimdal supports it) because krb5-config
intentionally doesn't mess with a user-supplied krb5.conf file.
Would it work to convert the PAM profile into a config file, and treat
an existing file with minimum_uid=1000 as user-modified?
I'd argue that this file should be marked as config on its own merits.
One other thing I want to do, in fact, is bump down the Priority: so
that Kerberos auth is checked after Unix auth. I'd sure want to see the
config merge question come up if an update messes with that.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libpam-krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/369575
Title:
Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
Status in kerberos-configs package in Ubuntu:
Triaged
Status in libpam-krb5 package in Ubuntu:
Invalid
Bug description:
Binary package hint: libpam-krb5
I'm looking at libpam-krb5 version 3.13-2ubuntu1, in Jaunty.
The pam-auth-update profile file /usr/share/pam-configs/krb5 has
invocations of pam_krb5.so with the hardcoded option minimum_uid=1000.
Presumably, this is to exclude system users (uid < 1000) from Kerberos
authentication.
The problem is that some installations may have the convention of a
higher minimum UID for Kerberos users, and their options are limited
to either modifying the number in the profile file (a no-no given that
the file lives in /usr and not /etc), or bypassing the krb5 profile
altogether (either with a custom profile, or direct edits to
/etc/pam.d/*).
To make all this concrete: I have a setup where Kerberos users have
UIDs >= 20000. I specify this right in /etc/krb5.conf, under the
[appdefaults] section (see the pam_krb5 man page for details on how to
do this). Users with 1000 >= UID > 20000 are assumed to be local [but
otherwise normal] users, existing only on the local system. The
problem is that (1) my minimum_uid option in krb5.conf is being
overridden by the hardcoded options in .../pam-configs/krb5, and (2)
when I create a local user with adduser(8), and try to set/change its
password, I get prompted for "Current Kerberos password:" even though
no such entity exists in my Kerberos database!
(FYI: In Intrepid, I was using a custom pam-auth-update profile
similar to the new krb5 one, but without the minimum_uid= options. I
had considered it preferable to specify this once in krb5.conf than
multiple times in this file.)
I think that the minimum_uid= options should be removed from the krb5
profile, and the equivalent option added to krb5.conf, where the
specific UID number can be modified administratively. The current
approach is not flexible for installations making broad use of
Kerberos.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kerberos-configs/+bug/369575/+subscriptions
More information about the foundations-bugs
mailing list