[Samba] [OT?] Kerberos, PAM, NSS: if user does not exist, pam_krb5 try login?
Marco Gaiarin
gaio at sv.lnf.it
Thu Feb 28 08:35:31 UTC 2019
A bit more then a curiosity.
Mobing from Samba/NT to Samba/AD i'm now switching some 'one-purpose'
(mostly containers) from libpam-ldaps to libpam-krb5.
In these box normally i don't need user access, so i create 'manually'
(eg, in /etc/passwd) only the admin users, and i add only the PAM layer
to do external auth.
Still i use ssh keys for direct root access, but as an alternative ssh
access i keep the ability to enter with domain password (and sudo).
Some of these box are internet-facing. So looking at logs with previous
setup, for non-existant user i get:
Feb 3 04:45:47 tank sshd[18545]: Invalid user admin from 216.127.174.116
Feb 3 04:45:47 tank sshd[18545]: input_userauth_request: invalid user admin [preauth]
Feb 3 04:45:49 tank sshd[18545]: Failed password for invalid user admin from 216.127.174.116 port 2333 ssh2
while now i get:
Feb 28 07:23:16 tank sshd[28440]: Invalid user admin from 123.21.91.111
Feb 28 07:23:16 tank sshd[28440]: input_userauth_request: invalid user admin [preauth]
Feb 28 07:23:16 tank sshd[28440]: pam_krb5(sshd:auth): authentication failure; logname=admin uid=0 euid=0 tty=ssh ruser= rhost=123.21.91.111
Feb 28 07:23:18 tank sshd[28440]: Failed password for invalid user admin from 123.21.91.111 port 51911 ssh2
(clearly 'admin' is not in /etc/passwd).
So seems to me that libpam-ldaps dopn't even try to do a login if user
does not exist, while libpam-krb5 do.
There's something to fear about? Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
More information about the samba
mailing list