Ubuntu
libpam-krb5 package

Bug #369575
Comment #16

Comment 16 for bug 369575

Revision history for this message

Steve Langasek (vorlon) wrote on 2010-04-06: Re: [Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?

#16

On Wed, Mar 31, 2010 at 05:06:48AM -0000, Russ Allbery wrote:

> No, it's not a conffile. The generated /etc/pam.d files are configuration
> files, but if the user is using the defaults, I believe changes to the
> defaults are just automatically applied (although Steve would know better
> than I).

Yes, pam-auth-update does word-wise parsing of the options for each module
in the stack, and does an automatic three-way merge of these options on
upgrade.

On Fri, Apr 02, 2010 at 12:31:50AM -0000, Russ Allbery wrote:
> The input files to pam-auth-update aren't configuration files, so this
> would need to change somewhat, but I think I can see how to do something
> like this. Basically, libpam-krb5 would ship two different krb5 PAM
> profiles and select between them based on whether or not krb5.conf had a
> minimum_uid setting.

> However, so far as I can tell, there's no way to do this right now in the
> existing pam-auth-update system. The package doesn't tell pam-auth-update
> which profile to add. It just configures all of them. So the user would
> keep having to select between krb5 and krb5-old (or whatever) without
> knowing which one too chose, and they'd conflict with each other which
> would make everything more complicated.

> Steve, if you're still following this bug report, do you have any feelings
> about how we should handle this? My primary concern is ending up with
> only ignore_root and not minimum_uid and hence opening a possible security
> vulnerability wherein one could authenticate as a Kerberos principal named
> daemon, etc., and log on to a system account.

You can set up two pam module configs that conflict with one another, but
there's no way for the package to automatically select between them (a
limitation of the use of debconf, really).

You can use maintainer script logic to post-process /etc/pam.d/common-* and
tune the options for pam_krb5 based on the contents of /etc/krb5.conf, but
this isn't persistent if the user at any point disables and re-enables the
krb5 pam profile.

Honestly, I don't see any good choices at the packaging level for permuting
the pam_krb5 options used.

Why wouldn't it work to have krb5-config do a one-time adjustment of
/etc/krb5.conf on upgrade (w/ version guard), and give libpam-krb5 a
versioned dependency on the version of krb5-config that implements this?

As for your original problem, Daniel, - you already have to set the
non-default minimum_uid in krb5.conf; why couldn't you automatically apply
the same setting to /etc/pam.d/common-* by the same mechanism? There may be
room for improvement in the package defaults, but ISTM that this shouldn't
stand in the way of you solving your immediate problem - especially given
that you're decidedly not using the package defaults anyway.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
<email address hidden> <email address hidden>

On Wed, Mar 31, 2010 at 05:06:48AM -0000, Russ Allbery wrote:

> No, it's not a conffile.  The generated /etc/pam.d files are configuration
> files, but if the user is using the defaults, I believe changes to the
> defaults are just automatically applied (although Steve would know better
> than I).

Yes, pam-auth-update does word-wise parsing of the options for each module
in the stack, and does an automatic three-way merge of these options on
upgrade.

On Fri, Apr 02, 2010 at 12:31:50AM -0000, Russ Allbery wrote:
> The input files to pam-auth-update aren't configuration files, so this
> would need to change somewhat, but I think I can see how to do something
> like this.  Basically, libpam-krb5 would ship two different krb5 PAM
> profiles and select between them based on whether or not krb5.conf had a
> minimum_uid setting.

> However, so far as I can tell, there's no way to do this right now in the
> existing pam-auth-update system.  The package doesn't tell pam-auth-update
> which profile to add.  It just configures all of them.  So the user would
> keep having to select between krb5 and krb5-old (or whatever) without
> knowing which one too chose, and they'd conflict with each other which
> would make everything more complicated.

> Steve, if you're still following this bug report, do you have any feelings
> about how we should handle this?  My primary concern is ending up with
> only ignore_root and not minimum_uid and hence opening a possible security
> vulnerability wherein one could authenticate as a Kerberos principal named
> daemon, etc., and log on to a system account.

You can set up two pam module configs that conflict with one another, but
there's no way for the package to automatically select between them (a
limitation of the use of debconf, really).

Honestly, I don't see any good choices at the packaging level for permuting
the pam_krb5 options used.

As for your original problem, Daniel, - you already have to set the
non-default minimum_uid in krb5.conf; why couldn't you automatically apply
the same setting to /etc/pam.d/common-* by the same mechanism?  There may be
room for improvement in the package defaults, but ISTM that this shouldn't
stand in the way of you solving your immediate problem - especially given
that you're decidedly not using the package defaults anyway.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Ubuntulibpam-krb5 package

Comment 16 for bug 369575

Ubuntu
libpam-krb5 package