Ubuntu
ldap-auth-client package

default config under ssh allows for easy machine lockout

Bug #897553 reported by Mike Fogel
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ldap-auth-client (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

This issue is the result of interplay of a few different packages. My feeling is this is probably the best place to fix it, so I'm reporting it here.

Take a standard ubuntu 11.04 or 11.10, install ssh and ldap, along with libpam-ldap.

In /etc/ssh/sshd_config there's a setting LoginGraceTime which defaults to 120. This is the length of time in seconds that sshd gives a login to successfully complete the connection-starting handshake before killing the process.

In /etc/ldap.conf there's two settings:

bind_timeout - defaults to 30
bind_policy - defaults to hard, which means the ldap client will do an exponential backoff when it's unable to connect to the ldap server .

In the result is that with an ldap server that is down, with these defaults the ldap client will try (unsuccessfully) to make a connection for around 240 seconds.

But, sshd kills the process after 120 seconds. Backup means of authentication _are not tried_. If there's a way to get around this lockout, I'm not aware of it.

I'd suggest changing the default bind_timeout to 5 or10 seconds... this seems plenty long and then in a default install of all of these packages wouldn't result in a dangerous default configuration.

Thanks.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Please reply if this is still an issue on a supported release.

Changed in ldap-auth-client (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.