Re: root password is not stored in /etc/cipux/

To: Christian Kuelker <christian.kuelker@cipworx.org>
Cc: debian-edu@lists.debian.org
Subject: Re: root password is not stored in /etc/cipux/
From: Finn-Arne Johansen <faj@bzz.no>
Date: Tue, 12 Dec 2006 11:28:25 +0100
Message-id: <[🔎] 457E8449.3080701@bzz.no>
In-reply-to: <[🔎] 200612121040.18133.christian.kuelker@cipworx.org>
References: <[🔎] 200612120951.02371.christian.kuelker@cipworx.org> <[🔎] 20061212085700.GC5580@saruman.uio.no> <[🔎] 200612121040.18133.christian.kuelker@cipworx.org>

Christian Kuelker skrev:
> Dear Petter Reinholdtsen,
> 
> On Tuesday 12 December 2006 09:57, you wrote:
>> [Christian Kuelker]
>>
>>> pere suggest to use some cookie based method for avoid the storeage
>>> of the root password in /etc/cipux.
>> Here is a misunderstanding.  The problem to solve is the fact that the
>> LDAP admin password is stored on disk.  The fact that it is the same
>> as the system root password is a minor implementation detail. 
> 
> No that it not minor. Because that made it in clear text the same.
> 
>> Neither password should be stored on disk. 
> 
> Well in principal yes.
> 
> I would not store the (posix) root password on disk.  
> I would store the database password, because to let this in
> the hand of teachers is even more dangerous.
> 
>> I suspect the rest of your message 
>> would be different if you base it on the fact that the problem is
>> storing the LDAP admin password on disk, so I will skip commenting the
>> rest of your email.
> 
> No I was aware that you know the difference. But I want to make it clear.
> 
> But why you store the cn=smbadmin in clear text on disk? Which is again the 
> root password.

no, it's not.

the password for smbadmin is generated (and never displayed) during the
installation.
The user is allowed to generate machine accounts, and to add/update
samba entries on a normal user account. The password is readable by root
when you use it with tdbdump I think.

It might be possible to create an posix account with userid 0 using this
password (under ou=Machines,ou=People,dc=skole,dc=skolelinux,dc=no), it
should be impossible to set a shadow password for the user using the
smbadmin password. When I think of it, it might be possible to use the
newly created account  with userid 0 the store a ssh-public key, and by
that log into the server. I have newer tried, though. If I do have root
access on the main server, it would be much easier to temporary set a
new ldap admin password, and create the account that way...

-- 
Finn-Arne Johansen
faj@bzz.no http://bzz.no/
EE2A71C6403A3D191FCDC043006F1215062E6642 062E6642

Reply to:

Follow-Ups:
- Re: root password is not stored in /etc/cipux/
  - From: Christian Kuelker <christian.kuelker@cipworx.org>
- Re: root password is not stored in /etc/cipux/
  - From: Finn-Arne Johansen <faj@bzz.no>

References:
- root password is not stored in /etc/cipux/
  - From: Christian Kuelker <christian.kuelker@cipworx.org>
- Re: root password is not stored in /etc/cipux/
  - From: Petter Reinholdtsen <pere@hungry.com>
- Re: root password is not stored in /etc/cipux/
  - From: Christian Kuelker <christian.kuelker@cipworx.org>

Prev by Date: Re: root password is not stored in /etc/cipux/
Next by Date: Re: root password is not stored in /etc/cipux/
Previous by thread: Re: root password is not stored in /etc/cipux/
Next by thread: Re: root password is not stored in /etc/cipux/
Index(es):
- Date
- Thread