[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: LDAP breaks kcheckpass when not setuid root (#298148)

On Fri, May 04, 2007 at 11:51:02PM +0200, Petter Reinholdtsen wrote:
> Yes, pam is needed to do proper authentication (password checking),
> and nss is needed to find information about users and groups.  Yes,
> you can use nss to find password hashes and authenticate locally after
> fetching the hash using LDAP, but it is a very bad idea, as you really
> want to avoid password hashes from leaving your LDAP server.

Nah, what you really want is to avoid password hashes *entering* your LDAP
server.  Kerberos FTW.


> nss-ldap on the other hand do not send any passwords, it only fetches
> information from the LDAP server, and it does it fairly often, so you
> do not want the overhead of encryption there, and you also want to
> make sure nscd is running to cache any search results to reduce the
> amount of LDAP trafic needed.

You may not want encryption, but almost anywhere that you would care about
encryption to protect the privacy of your passwords you should also care
about cryptographic signing ensuring the integrity of the NSS data being
sent to you by the server, to protect against network MITM attacks.  The
easiest way to accomplish this is to use SSL for all your LDAP connections.

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Reply to: