You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi there,
I don't think it's a good idea to have a ldap bind password in the pam configuration file. Such a password should be in an external file and be loaded by the pam module. The idea is, that only root have access to the password file, but all users have access to the pam configuration.
Would be nice, if this can be implemented.
The text was updated successfully, but these errors were encountered:
I've noticed that making files readable by root only works for case like gdm, sudo, su, etc... where the program using pam authentication can run as root, however certain other scenarios such as cinnamon-screensaver actually run as the active user. And in the case with pam_google_authenticator, if the file is not readable by the user, than cinnamon-screensaver will not be able to read it via PAM either.
While in principle, I 100% agree with @keachi that no password should be openly readable, but I just wanted to point out this corner case so that if the file method is implemented, that the old hardcode way is is still an option so that the system admin can choose which method to use it.
As long as the bind account has no permissions other than listing, it does relatively little harm letting an unprivileged user see it, as their account probably has the same permissions already.
FYI I mitigated this somewhat in #172 by adding the ability to bind as the user logging in instead of a service account. I know it doesn't solve your initial problem but it does potentially allow eliminating the need for a password there at all.
Hi there,
I don't think it's a good idea to have a ldap bind password in the pam configuration file. Such a password should be in an external file and be loaded by the pam module. The idea is, that only root have access to the password file, but all users have access to the pam configuration.
Would be nice, if this can be implemented.
The text was updated successfully, but these errors were encountered: