From owner-freebsd-stable@FreeBSD.ORG Tue Jul 16 02:28:42 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 4515B627 for ; Tue, 16 Jul 2013 02:28:42 +0000 (UTC) (envelope-from deischen@freebsd.org) Received: from mail.netplex.net (mail.netplex.net [204.213.176.9]) by mx1.freebsd.org (Postfix) with ESMTP id E5A378BB for ; Tue, 16 Jul 2013 02:28:41 +0000 (UTC) Received: from sea.ntplx.net (sea.ntplx.net [204.213.176.11]) by mail.netplex.net (8.14.6/8.14.6/NETPLEX) with ESMTP id r6G2SeFg053676; Mon, 15 Jul 2013 22:28:40 -0400 X-Virus-Scanned: by AMaViS and Clam AntiVirus (mail.netplex.net) X-Greylist: Message whitelisted by DRAC access database, not delayed by milter-greylist-4.4.1 (mail.netplex.net [204.213.176.9]); Mon, 15 Jul 2013 22:28:40 -0400 (EDT) Date: Mon, 15 Jul 2013 22:28:40 -0400 (EDT) From: Daniel Eischen X-X-Sender: eischen@sea.ntplx.net To: Jan Bramkamp Subject: Re: LDAP authentication confusion In-Reply-To: <51E480C3.50008@rlwinm.de> Message-ID: References: <1373915752.13754.140661255962197.3CA2BD96@webmail.messagingengine.com> <20130715224748.GA45649@anubis.morrow.me.uk> <51E480C3.50008@rlwinm.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Daniel Eischen List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Jul 2013 02:28:42 -0000 On Tue, 16 Jul 2013, Jan Bramkamp wrote: > On 16.07.2013 00:47, Ben Morrow wrote: >> Quoth Jan Bramkamp : >>> On 15.07.2013 21:51, Daniel Eischen wrote: >>>> >>>> Wouldn't it be easier just to edit /etc/nsswitch.conf >>>> anyway? >>> PAM and NSS switch are two different subsystems. NSS is just for >>> resource lookups (users, groups, hosts, ...). PAM is for access control. >>> >>> With ldap in nsswitch.conf for users and groups you can lookup a LDAP >>> user but the user can't log into $service through PAM. This requires >>> pam_ldap.so in pam.d/$service. >> >> The default pam_unix.so calls getpwent, so if nss_ldap returns cryptable >> passwords in its result I think pam_unix can authenticate against those. >> >> This is not the same as authenticating by LDAP bind, but may end up >> accepting the same passwords. > > If you want every process to read your hashed passwords and you use > non-portable crypt hashes it could work. The correct solution would be > authenticate users by LDAP binds without allowing anyone to read the > password or to use the {SASL} password style and authenticate users > against Kerberos with saslauthd. Just don't let you users play with > passwords. Either your password policy allows dumb users to pick trivial > password or it forces complex password structures on them resulting in > post-it notes with passwords around every second desk. I think something is lost on me here. getpwent/getpwuid do not return the password hashes in the returned struct passwd unless the calling process is root. So you have to be root in order to see the hashes anyway. Not all users are going to have access to the hashes, unless your machine's compromised or otherwise allows root privileges to others. -- DE