[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?

[Daniel Richard G.]

> I don't think Heimdal supports including krb5.conf snippets, which
means we can't use the include functionality in kerberos-configs.

And even if it did, it would still be awkward (you have to add the
#include at any rate). It needs to be a standard expectation these days
that configs in /etc support a foobaz.d directory convention, so all you
have to do is drop in a file.

> I don't think it's acceptable from a security standpoint for
minimum_uid to be turned off by an upgrade without an affirmative
response from the user (not any sort of default), and we can't use any
sort of krb5-config dependency to ensure that a Kerberos configuration
fragment is available (even if Heimdal supports it) because krb5-config
intentionally doesn't mess with a user-supplied krb5.conf file.

Would it work to convert the PAM profile into a config file, and treat
an existing file with minimum_uid=1000 as user-modified?

I'd argue that this file should be marked as config on its own merits.
One other thing I want to do, in fact, is bump down the Priority: so
that Kerberos auth is checked after Unix auth. I'd sure want to see the
config merge question come up if an update messes with that.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libpam-krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/369575

Title:
  Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?

Status in kerberos-configs package in Ubuntu:
  Triaged
Status in libpam-krb5 package in Ubuntu:
  Invalid

Bug description:
  Binary package hint: libpam-krb5

  I'm looking at libpam-krb5 version 3.13-2ubuntu1, in Jaunty.

  The pam-auth-update profile file /usr/share/pam-configs/krb5 has
  invocations of pam_krb5.so with the hardcoded option minimum_uid=1000.
  Presumably, this is to exclude system users (uid < 1000) from Kerberos
  authentication.

  The problem is that some installations may have the convention of a
  higher minimum UID for Kerberos users, and their options are limited
  to either modifying the number in the profile file (a no-no given that
  the file lives in /usr and not /etc), or bypassing the krb5 profile
  altogether (either with a custom profile, or direct edits to
  /etc/pam.d/*).

  To make all this concrete: I have a setup where Kerberos users have
  UIDs >= 20000. I specify this right in /etc/krb5.conf, under the
  [appdefaults] section (see the pam_krb5 man page for details on how to
  do this). Users with 1000 >= UID > 20000 are assumed to be local [but
  otherwise normal] users, existing only on the local system. The
  problem is that (1) my minimum_uid option in krb5.conf is being
  overridden by the hardcoded options in .../pam-configs/krb5, and (2)
  when I create a local user with adduser(8), and try to set/change its
  password, I get prompted for "Current Kerberos password:" even though
  no such entity exists in my Kerberos database!

  (FYI: In Intrepid, I was using a custom pam-auth-update profile
  similar to the new krb5 one, but without the minimum_uid= options. I
  had considered it preferable to specify this once in krb5.conf than
  multiple times in this file.)

  I think that the minimum_uid= options should be removed from the krb5
  profile, and the equivalent option added to krb5.conf, where the
  specific UID number can be modified administratively. The current
  approach is not flexible for installations making broad use of
  Kerberos.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kerberos-configs/+bug/369575/+subscriptions