On Sat, 2014-07-05 at 15:40 -0700, Peter Mairhofer wrote: > Irregularly, I find very strange, non-normal and possibly > security-problem indicating messages in my syslog, e.g.: > > nslcd[3338]: [16ec34] <passwd="pam_unix(sshd:auth"> request denied by > validnames option
The "request denied by validnames option" message indicates that some process has requested information on a username that has a name that should not be valid in the first place. These messages do not necessarily point to a security issue (certainly not in nslcd) and can be seen during normal operation. From the posted log messages it seems that some log parsing function is checking to see if certain parts of a log message refer to a known username (I remember seeing that before, even recursively triggering lookups on nslcd log messages). If you run nslcd in debug mode (start nslcd with -d) you should be able to find out which process performs these requests. > nslcd[26547]: [180b0b] <passwd="peter"> ldap_search_ext() failed: Can't > contact LDAP server: Broken pipe > nslcd[26547]: [180b0b] <passwd="peter"> no available LDAP server found, > sleeping 1 seconds > > nslcd[26547]: [3dd3e8] <passwd="mark"> ldap_result() failed: Can't contact > LDAP server > nslcd[26547]: [3dd3e8] <passwd="mark"> ldap_abandon() failed to abandon > search: Can't contact LDAP server: Transport endpoint is not connected > nslcd[26547]: [c91298] <service="smtp"/tcp> ldap_result() failed: Can't > contact LDAP server > > nslcd[26547]: [584bcb] <group/member="mark"> ldap_search_ext() failed: Can't > contact LDAP server: Broken pipe > nslcd[26547]: [584bcb] <group/member="mark"> no available LDAP server found, > sleeping 1 seconds These messages indicate some problem with contacting the LDAP server. When the error occurs on ldap_search_ext() it is generally when starting a new search, on ldap_result() it means that it happens while fetching results. > I think it could be related to a possibly non-standard PAM > configuration, therefore I also post my common-auth: > > auth sufficient pam_unix.so nullok_secure > auth sufficient pam_ldap.so use_first_pass > auth requisite pam_pwdfile.so pwdfile /etc/passwd.opie > auth sufficient pam_opie.so > auth required pam_deny.so > > Interestingly the problems seem to be gone if I remove pam_opie and > revert to the standard config. > > To conclude, I think the issue appears when you use nscld, pam_ldap > AND an additonal module (such as pam_opie or pam_otpw) together. If you have a scenario that reasonably reliably triggers this problem I will try to reproduce this issue. The process that triggers it (output from nslcd -d) and circumstances that cause it (message happen on login, from cron job, etc.) would help. Thanks, -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
