Re: NFS, password transparency, and security
On Mon, Apr 08, 2002 at 08:23:17AM +0300, Sami Haahtinen wrote:
> On Sun, Apr 07, 2002 at 08:14:26PM -0700, Luca Filipozzi wrote:
> > Two choices (I like lists :) ):
> >
> > (1) use libpam-ldap:
>
> i recommend this.
I also recommend this.
> > (2) don't use libpam-ldap:
> > You don't have to use libpam-ldap. You could just use
> > libnss-ldap and have the ldap server transfer the password
> > hashes to the workstations in the clear ... which is equivalent
> > to NIS. You could also use libnss-ldap with SSL/TLS so that the
> > hashes are transferred more securely (equivalent to NIS+).
>
> i don't recommend the above to anyone (do as i say, not as i do.. =) it
> will cause problems, you are forced to enter the database access
> password to the configuration, which you will then need to make readable
> to root, which in turn forces you to use nscd.
No, you don't. You can set the ACLs in slapd.conf for userPassword to
'by * read'. Sure, it's not a good choice. That's why I said that it
is the equivalent of NIS.
> this also allows crackers to access your userbase, unlike libpam-ldap,
> where you are not forced to allow userpassword read access to the
> database. The cracker just needs to hack this machine, read the password
> from config and voila, ur nt3w0rk has been 0wn3d!
You don't need to put a binddn/bindpw into libnss-ldap if you make
userPassword readable by all. libnss-ldap can bind anonymously. It's
NIS-equivalent, however, so if the hashes are weak based on weak
passwords, a dictionary attack is possible (just like NIS).
Also, if you were to use a binddn/bindpw, you wouldn't use the
rootdn/rootpw.
Note for non-LDAP folk: userPassword is the hashed password, not the
cleartext password.
Luca
--
Luca Filipozzi, Debian Developer
[dpkg] We are the apt. You will be packaged. Comply.
gpgkey 5A827A2D - A149 97BD 188C 7F29 779E 09C1 3573 32C4 5A82 7A2D
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to:
- References:
- NFS, password transparency, and security
- From: Rob VanFleet <rvf@linux.wku.edu>
- Re: NFS, password transparency, and security
- From: Luca Filipozzi <lfilipoz@debian.org>
- Re: NFS, password transparency, and security
- From: Rob VanFleet <rvf@linux.wku.edu>
- Re: NFS, password transparency, and security
- From: Luca Filipozzi <lfilipoz@debian.org>
- Re: NFS, password transparency, and security
- From: ressu@ressukka.net (Sami Haahtinen)