[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
problem with group membership enforcement
Hi,
Wasn't sure where to post this (here or the pam list) - sorry if I
picked the wrong one, but I always have more success here :)
I'm in a testing environment running OpenLDAP 2.1 on Redhat 9, and I
have some Redhat 9 clients I'm testing with, but I've built my own
pam_ldap and nss_ldap from scratch, from the latest sources on padl's
site.
My problem is this:
My /etc/ldap.conf file is configured to enforce membership of a group in
order to login. If I ssh to the machine as someone in the group, no
problem, I get in. However, today while I was testing this, I tried to
ssh to the box as someone NOT in the group and got this:
<+++++++ snip +++++++++>
[ajonesy@newhotness ajonesy]$ ssh ajonesy@fishhead
ajonesy@fishhead's password:
Warning: No xauth data; using fake authentication data for X11
forwarding.
You must be a memberUid of cn=staff,ou=Group,dc=cs,dc=princeton,dc=edu
to login.
[ajonesy@fishhead ajonesy]$ pwd
/u/ajonesy
[ajonesy@fishhead ajonesy]$
<++++++++++++++ /SNIP++++>
Why was I allowed to log in? This is baffling.
Oddly, if I try to 'su' to the same account, as root on that box, it
fails, giving me that same warning ('you must be a memberUid of...') and
returns me my root shell.
As root, I can 'su' to someone who is in the proper group, but that user
can't su to the non-group account either. So 'su' seems to do the right
thing, but 'ssh' lets me in regardless of my group membership (though
it's nice enough to provide a warning).
Anyone seen this before? Here's my /etc/pam.d/sshd file:
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_unix.so shadow nullok
use_first_pass
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_unix.so shadow md5 nullok
use_authtok
session required /lib/security/pam_unix.so
Thanks for any input here.
brian.