[Samba] [OT?] Kerberos, PAM, NSS: if user does not exist, pam_krb5 try login?

[Marco Gaiarin]

A bit more then a curiosity.

Mobing from Samba/NT to Samba/AD i'm now switching some 'one-purpose'
(mostly containers) from libpam-ldaps to libpam-krb5.
In these box normally i don't need user access, so i create 'manually'
(eg, in /etc/passwd) only the admin users, and i add only the PAM layer
to do external auth.
Still i use ssh keys for direct root access, but as an alternative ssh
access i keep the ability to enter with domain password (and sudo).


Some of these box are internet-facing. So looking at logs with previous
setup, for non-existant user i get:

	Feb  3 04:45:47 tank sshd[18545]: Invalid user admin from 216.127.174.116
	Feb  3 04:45:47 tank sshd[18545]: input_userauth_request: invalid user admin [preauth]
	Feb  3 04:45:49 tank sshd[18545]: Failed password for invalid user admin from 216.127.174.116 port 2333 ssh2

while now i get:

	Feb 28 07:23:16 tank sshd[28440]: Invalid user admin from 123.21.91.111
	Feb 28 07:23:16 tank sshd[28440]: input_userauth_request: invalid user admin [preauth]
	Feb 28 07:23:16 tank sshd[28440]: pam_krb5(sshd:auth): authentication failure; logname=admin uid=0 euid=0 tty=ssh ruser= rhost=123.21.91.111
	Feb 28 07:23:18 tank sshd[28440]: Failed password for invalid user admin from 123.21.91.111 port 51911 ssh2

(clearly 'admin' is not in /etc/passwd).


So seems to me that libpam-ldaps dopn't even try to do a login if user
does not exist, while libpam-krb5 do.


There's something to fear about? Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)