[Bug 369964] [NEW] "krb5" pam-auth-update profile priority is greater than "unix" profile

[Daniel Richard G.]

Public bug reported:

Binary package hint: libpam-krb5

Looking at libpam-krb5 version 3.13-2ubuntu1 in Jaunty.

The "unix" profile has a priority of 256; "krb5" has a priority of 704.
When pam-auth-update collates the profiles into a PAM configuration, the
Kerberos lines thus precede the Unix lines in the /etc/pam.d/common-*
files.

Whether a user exists in the Kerberos database or the Unix database
(usually /etc/passwd), the try_first_pass module options allow either
possibility to result in a successful login. If a user exists in *both*
databases, then this works as well.

However, if a user exists in both databases, and the Kerberos
infrastructure is not available (no network, server down, etc.), then
PAM will have to wait for the attempt at Kerberos authentication to time
out before trying the Unix one---which, in most cases, does not require
network access.

(Note that a user may exist in both databases in some scenarios where a
system that normally uses Kerberos auth is isolated from the network,
and an administrator creates a matching local user [same name and UID]
to allow a person to get some use out of said disconnected system.)

I think that the priority of the Kerberos authentication profile should
be lowered to below that of the Unix one, on the principle that local
authentication should be tried before network auth, due to the
disproportionately worse failure mode(s) of the latter.

** Affects: libpam-krb5 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
"krb5" pam-auth-update profile priority is greater than "unix" profile
https://bugs.launchpad.net/bugs/369964
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs