Bug 193199 - Backport pam_ccreds module
Backport pam_ccreds module
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: pam_ccreds (Show other bugs)
3.0
All Linux
urgent Severity high
: ---
: ---
Assigned To: Tomas Mraz
Jay Turner
PMCmmt
: FutureFeature
Depends On:
Blocks: 190430
  Show dependency treegraph
 
Reported: 2006-05-25 19:46 EDT by Daniel Riek
Modified: 2015-01-07 19:12 EST (History)
6 users (show)

See Also:
Fixed In Version: RHEA-2007-0461
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-06-11 14:41:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel Riek 2006-05-25 19:46:42 EDT
In context of a customer we ran into the requirement to have authenticated binds
to an ldap server for authentication and identity management without exposing
the bind password to all users on the system. The mandat for allowing only
authenticated binds to the ldap server arises from SOX compliance requirements.

The proposed solution was to use nscd for nss_ldap access so that unprivileged
users do not need to see the bind password but this does not cover unpriviliged
applications that need to authenticate users via pam like the xscreensaver. The
proposed solution here is the pam_ccreds module.
Comment 15 Tomas Mraz 2007-05-11 04:56:31 EDT
The proper PAM (system-auth) configuration is:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so likeauth nullok
auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so try_first_pass
auth [success=done default=die] pam_ccreds.so action=validate use_first_pass
auth [success=done default=die] pam_ccreds.so action=store
auth [default=die] pam_ccreds.so action=update
auth        required      pam_deny.so

account     required      pam_unix.so
account     [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore authinfo_unavail=ignore] pam_ldap.so

password    required      pam_cracklib.so retry=3
password    sufficient    pam_unix.so nullok use_authtok shadow md5
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     required      pam_limits.so
session     required      pam_unix.so
session     optional      pam_ldap.so
Comment 16 Tomas Mraz 2007-05-11 05:57:10 EDT
So actually for RHEL3 (pam-0.75) one more adjustment is necessary, this is final
PAM config:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so likeauth nullok
auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so try_first_pass
auth [success=done default=die] pam_ccreds.so action=validate use_first_pass
auth [success=done default=die] pam_ccreds.so action=store
auth [default=die] pam_ccreds.so action=update
auth        required      pam_deny.so

account     required      pam_unix.so
account     [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore authinfo_unavail=ignore] pam_ldap.so

password    required      pam_cracklib.so retry=3
password    sufficient    pam_unix.so nullok use_authtok shadow md5
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     required      pam_limits.so
session     required      pam_unix.so
session     optional      pam_ldap.so
Comment 19 Red Hat Bugzilla 2007-06-11 14:41:19 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2007-0461.html

Note You need to log in before you can comment on or make changes to this bug.