info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1036111: Priority of libpam-abl is lower than priority of libpam-krb5
1 view
Skip to first unread message
Steffen Kieß
May 15, 2023, 1:10:05 PM5/15/23
to
Package: libpam-abl
Version: 0.6.0-5+b1
The priority of libpam-abl (in /usr/share/pam-configs/abl) is 512, which
is lower than the priority of libpam-krb5 (704, see
/usr/share/pam-configs/krb5).
When both libpam-abl and libpam-krb5 are installed, the automatically
generated /etc/pam.d/common-auth will contain:
# here are the per-package modules (the "Primary" block)
auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
auth required pam_abl.so config=/etc/security/pam_abl.conf
auth [success=1 default=ignore] pam_unix.so nullok try_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
This means that pam_krb5 is used first, and if it succeeds (i.e. the
user enters the correct password), pam_abl will not be invoked at all
and therefore has no chance to block the access, even if the user
previously entered the password incorrectly. (If the password is
incorrect, pam_abl will be invoked and record the failure correctly.)
A priority value of e.g. 1024 instead of 512 would fix this. However,
the priority was changed from 1024 to 512 in the past and I'm not really
sure what the reason to do this was:
https://salsa.debian.org/debian/libpam-abl/-/commit/1ee0b0ee324cd62d6d815fe44a8d3b61ab2558d0
Version: 0.6.0-5+b1
The priority of libpam-abl (in /usr/share/pam-configs/abl) is 512, which
is lower than the priority of libpam-krb5 (704, see
/usr/share/pam-configs/krb5).
When both libpam-abl and libpam-krb5 are installed, the automatically
generated /etc/pam.d/common-auth will contain:
# here are the per-package modules (the "Primary" block)
auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
auth required pam_abl.so config=/etc/security/pam_abl.conf
auth [success=1 default=ignore] pam_unix.so nullok try_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
This means that pam_krb5 is used first, and if it succeeds (i.e. the
user enters the correct password), pam_abl will not be invoked at all
and therefore has no chance to block the access, even if the user
previously entered the password incorrectly. (If the password is
incorrect, pam_abl will be invoked and record the failure correctly.)
A priority value of e.g. 1024 instead of 512 would fix this. However,
the priority was changed from 1024 to 512 in the past and I'm not really
sure what the reason to do this was:
https://salsa.debian.org/debian/libpam-abl/-/commit/1ee0b0ee324cd62d6d815fe44a8d3b61ab2558d0
0 new messages