1

I am responsible for a couple of servers at my university. All of these machines are configured to talk to the LDAP server of my departement to allow centralised user logins. On this LDAP server there is a user named root:

# getent passwd | grep root root:x:0:0:root:/root:/bin/bash root:x:0:0:Netbios Domain Administrator:/home/root:/bin/false

Recently, I ran into issues with the root account on one of the servers I am responsible for: My SSH connection attempt was successfully authenticated against the local root user, but the home directory was taken from the LDAP as /home/root. In addition I found out that one can authenticate as root with the LDAP's root credentials on any server, i.e., if authentication against the local root fails, the LDAP root is tried and, given the password is correct, the user is logged in as superuser.

I believe this is not very secure and the ambiguity of the two root accounts should be removed. However, according to our IT department, the LDAP root is necessary.

How can I filter out the root account from LDAP to disallow authentication with it? I am using pam_ldap.so and also some ldap directives in /etc/nsswitch.conf.

Improve this question

1 Answer 1

Reset to default
2

There are many ways, here are a couple of easy ones:

  • in /etc/ssh/sshd_config change PermitRootLogin to no (this is usually a good idea, then rely on su/sudo for administration). This affects SSH only of course.
  • in the various PAM configuration files use the pam_listfile module to explicitly allow or deny certain accounts (needs to be done for each service)
  • in the various PAM configuration files configure the pam_ldap module pam_min_uid to 1 (or higher) so that root cannot log in (needs to be done for each service)
  • amend the PAM LDAP search filter (pam_filter) to either exclude users (e.g. pam_filter (uidNumber>=1), or you may be able to amend the base/scope

Either of the last two might be the best fit for you. You may also need to make some adjustments to the local PAM configuration so that a local root account via pam_unix can succeed if pam_ldap fails it (e.g. ordering and required/requisite/sufficient).

Improve this answer
3
  • Hi, thank you for pointing out different ways. The first is not really sufficient, because su root is affected with the same problem. But I'll try the other ones. Commented Oct 15, 2014 at 11:06
  • 1
    The only thing I'd like to add is in /etc/lapd.conf you can filter out through nss_initgroups_ignoreusers section Commented Oct 15, 2014 at 11:06
  • Thank you. A 6th option is to append the filder mentioned by mr.spuratic to the nss_base_passwd and nss_base_shadow lines in /etc/ldap/ldap.conf and /etc/libnss-ldap.conf. Commented Oct 15, 2014 at 13:11

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.