Your message dated Tue, 21 Aug 2007 03:13:08 -0700
with message-id <[EMAIL PROTECTED]>
and subject line libpam-modules: Noisy and incorrect logging to syslog
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libpam-modules
Version: 0.76-22
Severity: normal
Having this in common-auth:
----------------------------------------------
auth [success=1 default=ignore] pam_unix.so
auth required pam_ldap.so use_first_pass
auth required pam_permit.so
----------------------------------------------
and nothing else yields this in syslog:
----------------------------------------------
Nov 14 10:00:55 less unix_chkpwd[5387]: check pass; user unknown
Nov 14 10:00:55 less xscreensaver: (pam_unix) authentication failure; \
logname= uid=1018 euid=1018 tty=:0.0 ruser= rhost= user=bahner
----------------------------------------------
The first of the two entries is logged as auth.error, which is wrong in
the context. Even without default=ignore this probably shouldn't warrant
more than auth.warn.
There are no common users in /etc/[passwd|shadow], and there shouldn't
be, but in case of a missing LDAP-server root should gain access without
having to wait for a network timeout.
Kind regards,
Lars Bahner
PS. xscreensaver is only an example. This error is true for all
applications using common-auth.
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.12+vserver
Locale: LANG=no_NO.UTF-8, LC_CTYPE=no_NO.UTF-8 (charmap=UTF-8)
Versions of packages libpam-modules depends on:
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libcap1 1:1.10-14 support for getting/setting POSIX.
ii libdb3 3.2.9-22 Berkeley v3 Database Libraries [ru
ii libpam0g 0.76-22 Pluggable Authentication Modules l
-- no debconf information
--- End Message ---
--- Begin Message ---
Hi Lars,
> Having this in common-auth:
> ----------------------------------------------
> auth [success=1 default=ignore] pam_unix.so
> auth required pam_ldap.so use_first_pass
> auth required pam_permit.so
> ----------------------------------------------
> and nothing else yields this in syslog:
> ----------------------------------------------
> Nov 14 10:00:55 less unix_chkpwd[5387]: check pass; user unknown
> Nov 14 10:00:55 less xscreensaver: (pam_unix) authentication failure; \
> logname= uid=1018 euid=1018 tty=:0.0 ruser= rhost= user=bahner
> ----------------------------------------------
> The first of the two entries is logged as auth.error, which is wrong in
> the context. Even without default=ignore this probably shouldn't warrant
> more than auth.warn.
unix_chkpwd is an suid-root (or at least, sgid-shadow) binary which is
intended to be invoked exclusively through pam_unix in conditions where the
user exists and should be authenticated via pam_unix. There is no way to
distinguish between the case you describe and a misuse of unix_chkpwd by a
user, so I don't agree that unix_chkpwd should be changed to log such
errors at lower priority.
> There are no common users in /etc/[passwd|shadow], and there shouldn't
> be, but in case of a missing LDAP-server root should gain access without
> having to wait for a network timeout.
Then I think you want the following config instead.
common-auth:
auth sufficient pam_ldap.so
auth required pam_unix.so use_first_pass
/etc/pam_ldap.conf:
pam_min_uid 1000
Cheers,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
[EMAIL PROTECTED] http://www.debian.org/
--- End Message ---
