10-18-2013 08:01 AM
After the major incident where we can't login through MP as root or any local user, because the ldap server 389-ds hang (SYN attack) and then the hpux processs ldapclientd hang as well. We need to "RS" the server at last...right now I am still fighting with “how we can avoid this next time when ldap server/ldapclientd goes bad”.
I get a hint telling we can change "auth" on pam.conf, so no matter how ldapclientd goes crazy, local logins still available.
I will change something on the orginal HPUX 11.31 pam.ldap, after that I will use it as pam.conf
1) I change "required" to “sufficient” so libpam_ldap will not be called if libpam_unix successed
rcomds auth required libpam_hpsec.so.1
rcomds auth sufficient libpam_unix.so.1
rcomds auth sufficient libpam_ldap.so.1 try_first_pass
sshd auth required libpam_hpsec.so.1
sshd auth sufficient libpam_unix.so.1
sshd auth sufficient libpam_ldap.so.1 try_first_pass
2) But the “auth” might not be enough, when login the OS will check which tty (session realm) you use, is your password (password realm) expired, is this a local account (account realm). So I think we need to modify the other realms as well
su account required libpam_hpsec.so.1
su account sufficient libpam_unix.so.1
su account sufficient libpam_ldap.so.1
is this OK?
I attach hereby the orginal hpux pam.ldap and my new pam. I had test it on one server and it works both for local and ldap login. I can't simulate the SYN attack (using scapy) again so I don´t really know if we can login as root through MP if this happens again.
Is the pam.conf.MY correct or is there anything else I overseen? does the replace of "required" given any drawbacks?
Please help, thanks
03-02-2014 07:21 AM
Thanks to HP, the problem is solved by using new pam.conf and pam_user.conf, the key is the "pam_user.conf" which allow root/local user to login from MP when ldap hang.
attachments are for 11.23/11.31 with TCB and 11.31 with /etc/shadow (the last one is the orginal file from HP OS).
NB: if you don't use pam access , pls remove the lines "libpam_authz.so.1"
yes, I surrender to learn how to deep down understand pam, my logic not work there. I leave it now to Brian at HP :-)
Thanks very much
ps: i use "kill -STOP <slapd PID> to simulate the hang (-CONT to continue) , tips from HP
ps2: "search time limit" set to 6s in HP profile on 389-ds server