Re: [gentoo-security] PAM takes a long time. - gentoo-security

From:	Volkov Peter Alexandrovich <PVolkov@××××××××.su>
To:	gentoo-security@l.g.o
Subject:	Re: [gentoo-security] PAM takes a long time.
Date:	Thu, 08 Apr 2004 14:23:56
Message-Id:	`20040408183051.6e39661a.PVolkov@mics.msu.su`
In Reply to:	Re: [gentoo-security] PAM takes a long time. by Paul de Vrieze

1

On Thu, 8 Apr 2004 15:57:03 +0200

2

Paul de Vrieze <pauldv@g.o> wrote:

3

4

> -----BEGIN PGP SIGNED MESSAGE-----

5

> Hash: SHA1

6

>

7

> On Thursday 08 April 2004 15:42, Volkov Peter Alexandrovich wrote:

8

> > Hi.

9

> >

10

> > I have Samba server. I'd like to use it as WINS server and, as this

11

> > computer is only samba server, so it's a good idea to make it local

12

> > master browser. It's Ok with configuration of PAM, but some time after

13

> > server was up users became to blame me for bad network browsing. I

14

> > blame PAM.

15

> >

16

> > The first sing was during ssh login. It takes long time to connect on

17

> > a absolutly free server! Then during system startup after starting

18

> > last service everything hangs on >20 seconds and only after this I can

19

> > see login invitation.

20

> >

21

> > Yesterday I rebuilded system from stage 3, and for 1 day everything

22

> > worked very fast (as it must to work) but now again this delay doesn't

23

> > allow users to browse in a normal way (As this computer is local

24

> > master browser (NBT)).

25

> >

26

> > A little experiment to understand that it is really PAM. I've started

27

> > sshd -d to see what is going on. So: file-server root # sshd -d

28

29

> > As Samba uses PAM for authentification for now I am sure that it is

30

> > PAM that slows down the whole windows networking.

31

>

32

> How is your pam authentication set up? What are the contents

33

> of /etc/pam.d/sshd, /etc/pam.d/system-auth

34

> and /etc/pam.d/system-auth-winbind

35

36

I did not change the contents of these files. But to be sure here it is:

37

file-server etc # cat /etc/pam.d/sshd 

38

#%PAM-1.0

39

40

auth       required     pam_stack.so service=system-auth

41

auth       required     pam_shells.so

42

auth       required     pam_nologin.so

43

account    required     pam_stack.so service=system-auth

44

password   required     pam_stack.so service=system-auth

45

session    required     pam_stack.so service=system-auth

46

file-server etc # cat /etc/pam.d/system-auth

47

#%PAM-1.0

48

49

auth       required     /lib/security/pam_env.so

50

auth       sufficient   /lib/security/pam_unix.so likeauth nullok

51

auth       required     /lib/security/pam_deny.so

52

53

account    required     /lib/security/pam_unix.so

54

55

password   required     /lib/security/pam_cracklib.so retry=3

56

password   sufficient   /lib/security/pam_unix.so nullok md5 shadow use_authtok

57

password   required     /lib/security/pam_deny.so

58

59

session    required     /lib/security/pam_limits.so

60

session    required     /lib/security/pam_unix.so

61

file-server etc # cat /etc/pam.d/system-auth-winbind 

62

#%PAM-1.0

63

# $Header: /home/cvsroot/gentoo-x86/net-fs/samba/files/system-auth-winbind,v 1.1 2002/05/06 19:57:08 woodchip Exp $

64

65

auth        required      /lib/security/pam_env.so

66

auth        sufficient    /lib/security/pam_winbind.so

67

auth        sufficient    /lib/security/pam_unix.so likeauth nullok use_first_pass

68

auth        required      /lib/security/pam_deny.so

69

70

account     sufficient    /lib/security/pam_winbind.so

71

account     required      /lib/security/pam_unix.so

72

73

password    required      /lib/security/pam_cracklib.so retry=3

74

password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow

75

password    required      /lib/security/pam_deny.so

76

77

session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022 

78

session     required      /lib/security/pam_limits.so

79

session     required      /lib/security/pam_unix.so

80

81

82

> If you use system-auth-winbind. Then don't use pam authentication for

83

> samba.

84

85

I don't know what is system-auth-winbind(/etc/pam.d/system-auth-winbind?), so I guess I don't use it. 

86

87

> Also in general using standard authentication for samba is quite

88

> insecure.

89

90

What are the better ways to authenticate users then standard way? 

91

92

> It seems that the problem is caused by some kind of

93

> authentication loop.

94

95

How can I find out this loop?

96

97

______________________________________

98

99

Volkov Peter, <pvolkov@××××××××.su>

100

Moscow State University, Phys. Dep.

101

______________________________________

102

103

Linux 2.4.25 i686

104

Mobile Intel(R) Celeron(R) CPU 1.60GHz

105

106

--

107

gentoo-security@g.o mailing list

1	On Thu, 8 Apr 2004 15:57:03 +0200
2	Paul de Vrieze <pauldv@g.o> wrote:
3
4	> -----BEGIN PGP SIGNED MESSAGE-----
5	> Hash: SHA1
6	>
7	> On Thursday 08 April 2004 15:42, Volkov Peter Alexandrovich wrote:
8	> > Hi.
9	> >
10	> > I have Samba server. I'd like to use it as WINS server and, as this
11	> > computer is only samba server, so it's a good idea to make it local
12	> > master browser. It's Ok with configuration of PAM, but some time after
13	> > server was up users became to blame me for bad network browsing. I
14	> > blame PAM.
15	> >
16	> > The first sing was during ssh login. It takes long time to connect on
17	> > a absolutly free server! Then during system startup after starting
18	> > last service everything hangs on >20 seconds and only after this I can
19	> > see login invitation.
20	> >
21	> > Yesterday I rebuilded system from stage 3, and for 1 day everything
22	> > worked very fast (as it must to work) but now again this delay doesn't
23	> > allow users to browse in a normal way (As this computer is local
24	> > master browser (NBT)).
25	> >
26	> > A little experiment to understand that it is really PAM. I've started
27	> > sshd -d to see what is going on. So: file-server root # sshd -d
28
29	> > As Samba uses PAM for authentification for now I am sure that it is
30	> > PAM that slows down the whole windows networking.
31	>
32	> How is your pam authentication set up? What are the contents
33	> of /etc/pam.d/sshd, /etc/pam.d/system-auth
34	> and /etc/pam.d/system-auth-winbind
35
36	I did not change the contents of these files. But to be sure here it is:
37	file-server etc # cat /etc/pam.d/sshd
38	#%PAM-1.0
39
40	auth required pam_stack.so service=system-auth
41	auth required pam_shells.so
42	auth required pam_nologin.so
43	account required pam_stack.so service=system-auth
44	password required pam_stack.so service=system-auth
45	session required pam_stack.so service=system-auth
46	file-server etc # cat /etc/pam.d/system-auth
47	#%PAM-1.0
48
49	auth required /lib/security/pam_env.so
50	auth sufficient /lib/security/pam_unix.so likeauth nullok
51	auth required /lib/security/pam_deny.so
52
53	account required /lib/security/pam_unix.so
54
55	password required /lib/security/pam_cracklib.so retry=3
56	password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok
57	password required /lib/security/pam_deny.so
58
59	session required /lib/security/pam_limits.so
60	session required /lib/security/pam_unix.so
61	file-server etc # cat /etc/pam.d/system-auth-winbind
62	#%PAM-1.0
63	# $Header: /home/cvsroot/gentoo-x86/net-fs/samba/files/system-auth-winbind,v 1.1 2002/05/06 19:57:08 woodchip Exp $
64
65	auth required /lib/security/pam_env.so
66	auth sufficient /lib/security/pam_winbind.so
67	auth sufficient /lib/security/pam_unix.so likeauth nullok use_first_pass
68	auth required /lib/security/pam_deny.so
69
70	account sufficient /lib/security/pam_winbind.so
71	account required /lib/security/pam_unix.so
72
73	password required /lib/security/pam_cracklib.so retry=3
74	password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
75	password required /lib/security/pam_deny.so
76
77	session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022
78	session required /lib/security/pam_limits.so
79	session required /lib/security/pam_unix.so
80
81
82	> If you use system-auth-winbind. Then don't use pam authentication for
83	> samba.
84
85	I don't know what is system-auth-winbind(/etc/pam.d/system-auth-winbind?), so I guess I don't use it.
86
87	> Also in general using standard authentication for samba is quite
88	> insecure.
89
90	What are the better ways to authenticate users then standard way?
91
92	> It seems that the problem is caused by some kind of
93	> authentication loop.
94
95	How can I find out this loop?
96
97	______________________________________
98
99	Volkov Peter, <pvolkov@××××××××.su>
100	Moscow State University, Phys. Dep.
101	______________________________________
102
103	Linux 2.4.25 i686
104	Mobile Intel(R) Celeron(R) CPU 1.60GHz
105
106	--
107	gentoo-security@g.o mailing list

Gentoo Archives: gentoo-security