Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 179009 - KRB5 auth should include minimum_uid?
KRB5 auth should include minimum_uid?
Product: Fedora
Classification: Fedora
Component: authconfig (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
: Security
Depends On:
Blocks: FC5Target
  Show dependency treegraph
Reported: 2006-01-26 09:38 EST by Brian Wheeler
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: authconfig-5.2.0-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-02-06 12:31:19 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Brian Wheeler 2006-01-26 09:38:08 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7

Description of problem:
System accounts shouldn't be authenticating against a kerberos server by default.  I run in a university setting and I'd like to authenticate my users against the campus kerberos server.  Since I have no control over the kerberos server itself, I cannot know whether or not there are entries for root, apache, squid, etc. on the kerberos server which may be used to authenticate against my system.

It seems that putting the "minimum_uid=500" argument to pam_krb5.so when writing the pam authorization files would be a good thing to limit any bad surprises.  It would still be possible to try to log in via 'nobody', but since that's a limited access account anyway, the damage would be minimal.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. run ethereal and watch for krb5 packets
2. su -


Actual Results:  pam_krb5 tries to auth root against krb server.

Expected Results:  only local authentication for system accounts, unless overridden by administrator.

Additional info:
Comment 1 Tomas Mraz 2006-02-06 12:31:19 EST
Fixed in a slightly different and more universal way.

authconfig now adds:

auth        requisite     pam_succeed_if.so uid >= 500 quiet

line to /etc/pam.d/system-auth-ac by default. Also there is a new option which
reverts to the old behaviour of allowing that.

Note You need to log in before you can comment on or make changes to this bug.