Deprecating pam_stack.so

[Bernardo Innocenti]

Lamont R. Peterson wrote:

> The correct solution is simply this: DO NOT add root (uid == 0) authentication 
> credentials in your central authentication stores.  If you already have root 
> credentials in there, GET THEM OUT OF THERE.  root should only be able to 
> authenticate locally on every single box.  The security danger of not 
> following this policy can be quite high.

I agree, but I think the correct solution is getting the clients not
to trust their LDAP server when authenticating uid=0.

Just removing root from the directory isn't going to make clients more
secure. IP spoofing and other tricks can be used to fake another LDAP
server with a root account.  Of course you may be using TLS and
install SSL certificates on every clients, but I doubt any busy
system administrator would go this far to protect *clients* on the LAN.


> That said, it still might not be a bad idea to implement the extra config line 
> that Tomas Mraz suggested, earlier...as an extra protection measure.  The 
> disadvantage of adding it is that you will have to do so on all systems you 
> want to have connected to your central authentication store (LDAP, Kerberos, 
> whatever).
> 
> Perhaps it should be added to the default PAM configuration for FC5.  I would 
> vote for that.

I'd vote for that too.


>> Maybe this other project would be more appropriate:
>>
>>  http://sourceforge.net/projects/pam-ssh-agent/
>>
>>  PAM module that spawns a ssh-agent and adds identities using the
>>  password supplied at login.
> 
> I like this.  It would be nice if FC5 would ship pam-ssh-agent.  I'll vote for 
> it :).

Good. Who should we bug to get it into FC5? :-)

-- 
  // Bernardo Innocenti - Develer S.r.l., R&D dept.
\X/  http://www.develer.com/