Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Changing kerberos passwords through pam? [solved]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Plaz
Tux's lil' helper
Tux's lil' helper


Joined: 15 Sep 2002
Posts: 101
Location: Portland, OR

PostPosted: Wed Dec 22, 2004 11:26 pm    Post subject: Changing kerberos passwords through pam? [solved] Reply with quote

I've managed to *almost* get an LDAP/Kerberos system running in an effort to migrate to a single-password configuration.

What works:
1. Users' information stored in LDAP (OpenLDAP)
2. Users' passwords stored in Kerberos (MIT-KRB5)
3. Users can log in the system using kerberos authentication.
4. Users can change their passwords with kpasswd
5. External VPN hardware can authenticate via the kerberos server.
6. nsswitch.conf is getting user info out of LDAP

Problem:

I would like to let users use the 'passwd' program to change their password. It appears that the pam_krb5 module is supposed to allow this. However, when I try running 'passwd', I get the following:

passwd: Authentication token manipulation error

My understanding is that this can occur when trying to use pam_unix and the user does not appear in /etc/passwd. I'm trying to avoid using pam_unix in this case since the user only exists in the space of LDAP/Kerberos. I've tried removing the password/pam_unix line completely to see what would happen and it didn't help.

Here's my current pam.d/system-auth:
Code:

auth       required     /lib/security/pam_env.so
auth       sufficient   /lib/security/pam_krb5.so debug
auth       sufficient   /lib/security/pam_unix.so use_first_pass likeauth nullok shadow
auth       required     /lib/security/pam_deny.so

account    sufficient   /lib/security/pam_unix.so
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_deny.so

password   required     /lib/security/pam_cracklib.so retry=3
password   sufficient   /lib/security/pam_krb5.so debug
password   sufficient   /lib/security/pam_unix.so nullok use_authtok shadow md5
password   required     /lib/security/pam_deny.so

session    required     /lib/security/pam_limits.so
session    required     /lib/security/pam_unix.so
session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel umask=2
session    optional     /lib/security/pam_krb5.so


If anybody has this working seamlessly (or even just a little better than I do), I'd like to hear about it.

A second "problem" is that is appears that LDAP is getting used for authentication even though pam_ldap is not listed in the 'auth' stack. I think this is a byproduct of having (stale) password fields in LDAP and telling nsswitch.conf to use ldap for retrieving user data. The result of this is that users can log in with their stale passwords and bypass kerberos authentication. It appears that I can simply remove the userPassword attribute in LDAP, but if somebody knows of a 'correct' way to close this hole, I'd like to hear about it.


Last edited by Plaz on Thu Dec 23, 2004 3:02 am; edited 1 time in total
Back to top
View user's profile Send private message
Plaz
Tux's lil' helper
Tux's lil' helper


Joined: 15 Sep 2002
Posts: 101
Location: Portland, OR

PostPosted: Thu Dec 23, 2004 3:01 am    Post subject: Reply with quote

To answer my own question, it (so far) seems that the pam_krb5 module that's hosted on sourceforge handles password changes correctly without any fuss.

Here's a link if somebody else is looking for the same thing:
http://sourceforge.net/projects/pam-krb5/

Maybe somebody who knows more about these things might be able to comment on what the differences are between the two versions ...
Back to top
View user's profile Send private message
Plaz
Tux's lil' helper
Tux's lil' helper


Joined: 15 Sep 2002
Posts: 101
Location: Portland, OR

PostPosted: Thu Dec 23, 2004 3:04 am    Post subject: Reply with quote

Here's the pam.d/system-auth that I ended up with. Any comments on improving it would be appreciated.

Code:

auth       required     /lib/security/pam_env.so
auth       sufficient   /lib/security/pam_krb5.so debug
auth       sufficient   /lib/security/pam_unix.so use_first_pass likeauth nullok shadow
auth       required     /lib/security/pam_deny.so

account    sufficient   /lib/security/pam_unix.so
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_deny.so

password   required     /lib/security/pam_cracklib.so retry=3
password   sufficient   /lib/security/pam_krb5.so debug
password   sufficient   /lib/security/pam_unix.so nullok use_authtok shadow md5
password   required     /lib/security/pam_deny.so

session    required     /lib/security/pam_limits.so
session    required     /lib/security/pam_unix.so
session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel umask=2
session    optional     /lib/security/pam_krb5.so

Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum