Hi,
On Tue, Sep 02, 2014 at 06:40:44PM +0200, Gaudenz Steinlin wrote:
> "Andreas B. Mundt" <a...@debian.org> writes:
> >[...]
> > This modification follows the principle of 'least surprise': Neither
> > you are loged in without password as before with 'sufficient' and an
> > arbitrary script exiting 0, nor you are unable to log in which
> > might happen with 'required' and a script exiting non-zero. So I
> > guess this is a good default.
> >
> > CC Gaudenz to allow for his input/comments too.
>
> Thanks for CCing me. I was not aware of your bug report before. IMO the
> proposed patch is wrong. If your pam script is not intended to
> authenticate users, then don't use it in the authentication phase. If
> the script is used to mount network shares or similar things, put it
> into the session phase.
Well, a script in the authentication phase can either be sufficient
for authentication, or it can further limit authentication. If you
look at the examples in '/usr/share/doc/libpam-script/examples/',
the README.examples explains how to use a script 'tally' [1] to limit
the number of login attempts, or imagine the restriction to time slots
where login is allowed. For all these cases using 'sufficient' is
fatal, as any other authentication method is bypassed.
> Having auth scripts be optional by default, just leads to a situation
> were everyone that want's to use a script for authentication has to
> modify the pam configuration as this default most certainly won't be
> right for his case.
Sure, depending on what you want to do (further restrict or allow) you
have to modify that configuration. The question is: "What is the
most common configuration?" and "Which configuration can/cannot cause
harm by default?".
> If you want to change the default, then better
> change it to required, but this has the disatvantage you discribed of
> fatal failures.
I think optional is fine. It does not undermine the authentication
already in place by the examples returning zero by default. It does
not lock out everybody if the script returns non-zero. If either
'sufficient' or 'required' are needed, the system is modified anyway,
and the sysadmin implementing this will test if things work as
expected. There will be no surprises.
However, I agree that 'required' is still much better from a security
perspective than 'sufficient'.
Best regards,
Andi
[1] <URL:http://sources.debian.net/src/libpam-script/1.1.6-1/etc/tally/>,
it looks like it's not shipped in the binary package.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
