Re: root password is not stored in /etc/cipux/
Christian Kuelker skrev:
> Dear Petter Reinholdtsen,
>
> On Tuesday 12 December 2006 09:57, you wrote:
>> [Christian Kuelker]
>>
>>> pere suggest to use some cookie based method for avoid the storeage
>>> of the root password in /etc/cipux.
>> Here is a misunderstanding. The problem to solve is the fact that the
>> LDAP admin password is stored on disk. The fact that it is the same
>> as the system root password is a minor implementation detail.
>
> No that it not minor. Because that made it in clear text the same.
>
>> Neither password should be stored on disk.
>
> Well in principal yes.
>
> I would not store the (posix) root password on disk.
> I would store the database password, because to let this in
> the hand of teachers is even more dangerous.
>
>> I suspect the rest of your message
>> would be different if you base it on the fact that the problem is
>> storing the LDAP admin password on disk, so I will skip commenting the
>> rest of your email.
>
> No I was aware that you know the difference. But I want to make it clear.
>
> But why you store the cn=smbadmin in clear text on disk? Which is again the
> root password.
no, it's not.
the password for smbadmin is generated (and never displayed) during the
installation.
The user is allowed to generate machine accounts, and to add/update
samba entries on a normal user account. The password is readable by root
when you use it with tdbdump I think.
It might be possible to create an posix account with userid 0 using this
password (under ou=Machines,ou=People,dc=skole,dc=skolelinux,dc=no), it
should be impossible to set a shadow password for the user using the
smbadmin password. When I think of it, it might be possible to use the
newly created account with userid 0 the store a ssh-public key, and by
that log into the server. I have newer tried, though. If I do have root
access on the main server, it would be much easier to temporary set a
new ldap admin password, and create the account that way...
--
Finn-Arne Johansen
faj@bzz.no http://bzz.no/
EE2A71C6403A3D191FCDC043006F1215062E6642 062E6642
Reply to: