Bug 193199 - Backport pam_ccreds module
Summary: Backport pam_ccreds module
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: pam_ccreds (Show other bugs)
(Show other bugs)
Version: 3.0
Hardware: All Linux
urgent
high
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Jay Turner
URL:
Whiteboard: PMCmmt
Keywords: FutureFeature
Depends On:
Blocks: 190430
TreeView+ depends on / blocked
 
Reported: 2006-05-25 23:46 UTC by Daniel Riek
Modified: 2015-01-08 00:12 UTC (History)
6 users (show)

Fixed In Version: RHEA-2007-0461
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-06-11 18:41:18 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2007:0461 normal SHIPPED_LIVE New pam_ccreds packages 2007-06-07 22:56:54 UTC

Description Daniel Riek 2006-05-25 23:46:42 UTC
In context of a customer we ran into the requirement to have authenticated binds
to an ldap server for authentication and identity management without exposing
the bind password to all users on the system. The mandat for allowing only
authenticated binds to the ldap server arises from SOX compliance requirements.

The proposed solution was to use nscd for nss_ldap access so that unprivileged
users do not need to see the bind password but this does not cover unpriviliged
applications that need to authenticate users via pam like the xscreensaver. The
proposed solution here is the pam_ccreds module.

Comment 15 Tomas Mraz 2007-05-11 08:56:31 UTC
The proper PAM (system-auth) configuration is:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so likeauth nullok
auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so try_first_pass
auth [success=done default=die] pam_ccreds.so action=validate use_first_pass
auth [success=done default=die] pam_ccreds.so action=store
auth [default=die] pam_ccreds.so action=update
auth        required      pam_deny.so

account     required      pam_unix.so
account     [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore authinfo_unavail=ignore] pam_ldap.so

password    required      pam_cracklib.so retry=3
password    sufficient    pam_unix.so nullok use_authtok shadow md5
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     required      pam_limits.so
session     required      pam_unix.so
session     optional      pam_ldap.so

Comment 16 Tomas Mraz 2007-05-11 09:57:10 UTC
So actually for RHEL3 (pam-0.75) one more adjustment is necessary, this is final
PAM config:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so likeauth nullok
auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so try_first_pass
auth [success=done default=die] pam_ccreds.so action=validate use_first_pass
auth [success=done default=die] pam_ccreds.so action=store
auth [default=die] pam_ccreds.so action=update
auth        required      pam_deny.so

account     required      pam_unix.so
account     [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore authinfo_unavail=ignore] pam_ldap.so

password    required      pam_cracklib.so retry=3
password    sufficient    pam_unix.so nullok use_authtok shadow md5
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     required      pam_limits.so
session     required      pam_unix.so
session     optional      pam_ldap.so


Comment 19 Red Hat Bugzilla 2007-06-11 18:41:19 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2007-0461.html



Note You need to log in before you can comment on or make changes to this bug.