Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
ldap and update system-auth
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Frautoincnam
Apprentice
Apprentice


Joined: 19 May 2017
Posts: 158

PostPosted: Sat Oct 10, 2020 3:10 pm    Post subject: ldap and update system-auth Reply with quote

Hi,

I use LDAP (openldap) for years now, but I'm not a specialist at all.
At the time I had followed the documentation https://wiki.gentoo.org/wiki/Centralized_authentication_using_OpenLDAP#Client_PAM_configuration_the_pam_ldap_module_method
to configure /etc/pam.d/system-auth client.
But, year after year, updates modify this file, and the documentation doesn't take care about that.
So now, I don't know what to do with my actual system-auth file.
For the moment, I have :
Code:
auth            required        pam_env.so
auth            sufficient      pam_unix.so try_first_pass likeauth nullok
auth            sufficient      pam_ldap.so use_first_pass
auth            optional        pam_permit.so
auth            required        pam_deny.so
auth            optional        pam_cap.so

account         sufficient      pam_ldap.so
account         required        pam_unix.so
account         optional        pam_permit.so

password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password        sufficient      pam_unix.so use_first_pass use_authtok nullok sha512 shadow
password        sufficient      pam_ldap.so use_authtok try_first_pass
password        optional        pam_permit.so

-session        optional        pam_elogind.so
session         required        pam_limits.so
session         required        pam_env.so
session         required        pam_unix.so
session         optional        pam_permit.so
session         optional        pam_ldap.so

And all works fine.
But, the lastest sys-auth/pambase-20200917 update suggests me a new file, and if I add the same lines from the documentation, I get :
Code:
auth            required        pam_env.so
auth            required        pam_unix.so try_first_pass likeauth nullok
auth            sufficient      pam_ldap.so use_first_pass
auth            optional        pam_permit.so
auth            required        pam_faillock.so preauth silent audit deny=3 unlock_time=600
auth            sufficient      pam_unix.so nullok try_first_pass
auth            [default=die]   pam_faillock.so authfail audit deny=3 unlock_time=600

account         sufficient      pam_ldap.so
account         required        pam_unix.so
account         optional        pam_permit.so
account         required        pam_faillock.so

password        required        pam_passwdqc.so config=/etc/security/passwdqc.conf
password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password        sufficient      pam_ldap.so use_authtok use_first_pass
password        optional        pam_permit.so

-session        optional        pam_libcap.so
session         required        pam_limits.so
session         required        pam_env.so
session         required        pam_unix.so
session         optional        pam_ldap.so
session         optional        pam_permit.so

And I can't log with it.
Could an expert tell me what exactly to put that is consistent with the updates and my need, please ?
Back to top
View user's profile Send private message
alamahant
Guru
Guru


Joined: 23 Mar 2019
Posts: 557

PostPosted: Sat Oct 10, 2020 10:00 pm    Post subject: Reply with quote

Hi
NOT an expert but maybe you should try to modify the revised system-auth like this:
Code:

###auth            required        pam_unix.so try_first_pass likeauth nullok ###REPLACE THIS WITH:
auth            sufficient        pam_unix.so try_first_pass likeauth nullok

###password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow###AND THIS WITH:
password        sufficient        pam_unix.so try_first_pass use_authtok nullok sha512 shadow


:D
Back to top
View user's profile Send private message
Frautoincnam
Apprentice
Apprentice


Joined: 19 May 2017
Posts: 158

PostPosted: Sun Oct 11, 2020 4:10 am    Post subject: Reply with quote

alamahant wrote:
Hi
NOT an expert but maybe you should try to modify the revised system-auth like this:
Code:

###auth            required        pam_unix.so try_first_pass likeauth nullok ###REPLACE THIS WITH:
auth            sufficient        pam_unix.so try_first_pass likeauth nullok

###password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow###AND THIS WITH:
password        sufficient        pam_unix.so try_first_pass use_authtok nullok sha512 shadow


:D


Works, thank you.

I hope I won't have any other problems. I really doesn't understand anything to this file. And it gets more and more complicated over the years
Back to top
View user's profile Send private message
alamahant
Guru
Guru


Joined: 23 Mar 2019
Posts: 557

PostPosted: Sun Oct 11, 2020 9:08 am    Post subject: Reply with quote

It is not that complicated.
"pam_unix.so"
is the pam module for local auth by checking if a user is found in "/etc/shadow".
"pam.ldap.so"
on the other hand is for network authenticating a user against an ldap dbase.
If you had left the first with the "required" flag that would have meant that UNLESS a user it a local user it would prohibit login.
By using "sufficient" you allow both.
If local-user OR network-user then authenticate.
The main thing that changed with pam is that "pam_cracklib.so" is deprecated in favor of "pam_passwdqc.so" both of which enforce password strength standards.
:D
Back to top
View user's profile Send private message
Frautoincnam
Apprentice
Apprentice


Joined: 19 May 2017
Posts: 158

PostPosted: Sun Oct 11, 2020 3:32 pm    Post subject: Reply with quote

Ok, but why not for account and session ?
Back to top
View user's profile Send private message
alamahant
Guru
Guru


Joined: 23 Mar 2019
Posts: 557

PostPosted: Sun Oct 11, 2020 6:23 pm    Post subject: Reply with quote

There are four stanzas:
Auth
Account
Password
Session.
The first authenticates the user against a backend.In case of local this will be /etc/shadow.In case of ldap it will be an ldap dbase.There are other user store backends like for example kerberos and sssd,which is much preferable to plain ldap and acts as a great orchestrator of anything about authentication etc.
The second checks if a specific user is INDEED allowed to login ie not expired etc.
The third allows password change by the user.
The fourth controls the session.
Your account seems ok.
If you need to have the users homedir created @login you can insert the following to the beginning of the session stanza.
Code:

session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0077

:D
Back to top
View user's profile Send private message
Frautoincnam
Apprentice
Apprentice


Joined: 19 May 2017
Posts: 158

PostPosted: Sun Oct 11, 2020 7:22 pm    Post subject: Reply with quote

Ok but what I asked, and what I don't understand is why I don't need to replace "required" by "sufficient" for account and session as I needed for auth and password.
But don't bother, I'll read some documentation to find out.
Thanks for all.
Back to top
View user's profile Send private message
alamahant
Guru
Guru


Joined: 23 Mar 2019
Posts: 557

PostPosted: Sun Oct 11, 2020 8:17 pm    Post subject: Reply with quote

Play with it.
Try to do as you say and see what happens.....
The important thing was to get you loged in.
Now you can fine tune it and study it as much as you like....
At least this is how I approach problems....
:D
Back to top
View user's profile Send private message
Frautoincnam
Apprentice
Apprentice


Joined: 19 May 2017
Posts: 158

PostPosted: Wed Oct 14, 2020 7:04 pm    Post subject: Reply with quote

What is the point of having 2 lines auth pam_unix.so ?

Lastest pambase update gives :
Code:
# grep "^auth.*pam_unix" /etc/pam.d/._cfg0000_system-auth
auth            required        pam_unix.so try_first_pass likeauth nullok
auth            sufficient      pam_unix.so nullok try_first_pass


EDIT : already there https://bugs.gentoo.org/747868
Back to top
View user's profile Send private message
Frautoincnam
Apprentice
Apprentice


Joined: 19 May 2017
Posts: 158

PostPosted: Fri Nov 06, 2020 4:56 pm    Post subject: Reply with quote

More and more complicated with the lastest update :
Code:
auth            required        pam_env.so
auth            requisite       pam_faillock.so preauth
auth            [success=1 default=ignore]      pam_unix.so nullok  try_first_pass
auth            [default=die]   pam_faillock.so authfail
auth            optional        pam_permit.so
-auth           optional        pam_cap.so

account         required        pam_unix.so
account         required        pam_faillock.so
account         optional        pam_permit.so

password        required        pam_passwdqc.so config=/etc/security/passwdqc.conf
password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password        optional        pam_permit.so

session         required        pam_limits.so
session         required        pam_env.so
session         required        pam_unix.so
session         optional        pam_permit.so


I had to try hard to get something working, without understanding a lot, and it seems I have to replace "[success=1 default=ignore]" by "sufficient". If not, if I have a password in /etc/shadow, login is rejected for some users (and not for all)...
Code:
auth            required        pam_env.so
auth            requisite       pam_faillock.so preauth
auth            sufficient      pam_unix.so nullok  try_first_pass
auth            sufficient      pam_ldap.so use_first_pass
auth            [default=die]   pam_faillock.so authfail
auth            optional        pam_permit.so
-auth           optional        pam_cap.so

account         sufficient      pam_unix.so
account         sufficient      pam_ldap.so
account         required        pam_faillock.so
account         optional        pam_permit.so

password        required        pam_passwdqc.so config=/etc/security/passwdqc.conf
password        sufficient      pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password        sufficient      pam_ldap.so use_authtok use_first_pass
password        optional        pam_permit.so

session         required        pam_limits.so
session         required        pam_env.so
session         required        pam_unix.so
session         optional        pam_ldap.so
session         optional        pam_permit.so


Code:
diff -u system-auth.update system-auth
--- system-auth.orig    2020-11-06 12:33:22.020402183 -0400
+++ system-auth 2020-11-06 12:45:01.342993735 -0400
@@ -1,19 +1,24 @@
 auth           required        pam_env.so
 auth           requisite       pam_faillock.so preauth
-auth           [success=1 default=ignore]      pam_unix.so nullok  try_first_pass
+#auth          [success=1 default=ignore]      pam_unix.so nullok  try_first_pass
+auth           sufficient      pam_unix.so nullok  try_first_pass
+auth           sufficient      pam_ldap.so use_first_pass
 auth           [default=die]   pam_faillock.so authfail
 auth           optional        pam_permit.so
 -auth          optional        pam_cap.so
 
-account          required      pam_unix.so
-account         required        pam_faillock.so
-account         optional        pam_permit.so
+account          sufficient    pam_unix.so
+account          sufficient    pam_ldap.so
+account          required      pam_faillock.so
+account          optional      pam_permit.so
 
 password       required        pam_passwdqc.so config=/etc/security/passwdqc.conf
-password       required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow
+password       sufficient      pam_unix.so try_first_pass use_authtok nullok sha512 shadow
+password       sufficient      pam_ldap.so use_authtok use_first_pass
 password       optional        pam_permit.so
 
 session          required      pam_limits.so
 session          required      pam_env.so
 session          required      pam_unix.so
+session          optional      pam_ldap.so
 session          optional      pam_permit.so


Anybody using ldap with pam_ldap here to verify that I do not jeopardize the security of my system ?

And subsidiary question (unrelated to ldap), do I need to modify ENCRYPT_METHOD in /etc/login.defs to SHA512 or is it useless ?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum