default config under ssh allows for easy machine lockout
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ldap-auth-client (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
This issue is the result of interplay of a few different packages. My feeling is this is probably the best place to fix it, so I'm reporting it here.
Take a standard ubuntu 11.04 or 11.10, install ssh and ldap, along with libpam-ldap.
In /etc/ssh/
In /etc/ldap.conf there's two settings:
bind_timeout - defaults to 30
bind_policy - defaults to hard, which means the ldap client will do an exponential backoff when it's unable to connect to the ldap server .
In the result is that with an ldap server that is down, with these defaults the ldap client will try (unsuccessfully) to make a connection for around 240 seconds.
But, sshd kills the process after 120 seconds. Backup means of authentication _are not tried_. If there's a way to get around this lockout, I'm not aware of it.
I'd suggest changing the default bind_timeout to 5 or10 seconds... this seems plenty long and then in a default install of all of these packages wouldn't result in a dangerous default configuration.
Thanks.
Please reply if this is still an issue on a supported release.