[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: root password is not stored in /etc/cipux/

Christian Kuelker skrev:
> Dear Petter Reinholdtsen,
> On Tuesday 12 December 2006 09:57, you wrote:
>> [Christian Kuelker]
>>> pere suggest to use some cookie based method for avoid the storeage
>>> of the root password in /etc/cipux.
>> Here is a misunderstanding.  The problem to solve is the fact that the
>> LDAP admin password is stored on disk.  The fact that it is the same
>> as the system root password is a minor implementation detail. 
> No that it not minor. Because that made it in clear text the same.
>> Neither password should be stored on disk. 
> Well in principal yes.
> I would not store the (posix) root password on disk.  
> I would store the database password, because to let this in
> the hand of teachers is even more dangerous.
>> I suspect the rest of your message 
>> would be different if you base it on the fact that the problem is
>> storing the LDAP admin password on disk, so I will skip commenting the
>> rest of your email.
> No I was aware that you know the difference. But I want to make it clear.
> But why you store the cn=smbadmin in clear text on disk? Which is again the 
> root password.

no, it's not.

the password for smbadmin is generated (and never displayed) during the
The user is allowed to generate machine accounts, and to add/update
samba entries on a normal user account. The password is readable by root
when you use it with tdbdump I think.

It might be possible to create an posix account with userid 0 using this
password (under ou=Machines,ou=People,dc=skole,dc=skolelinux,dc=no), it
should be impossible to set a shadow password for the user using the
smbadmin password. When I think of it, it might be possible to use the
newly created account  with userid 0 the store a ssh-public key, and by
that log into the server. I have newer tried, though. If I do have root
access on the main server, it would be much easier to temporary set a
new ldap admin password, and create the account that way...

Finn-Arne Johansen
faj@bzz.no http://bzz.no/
EE2A71C6403A3D191FCDC043006F1215062E6642 062E6642

Reply to: