Re: NFS, password transparency, and security

To: debian-security@lists.debian.org
Subject: Re: NFS, password transparency, and security
From: Luca Filipozzi <lfilipoz@debian.org>
Date: Sun, 7 Apr 2002 22:36:17 -0700
Message-id: <[🔎] 20020407223617.A20107@ece.ubc.ca>
In-reply-to: <[🔎] 20020408052317.GA31996@stradivarius.ressukka.net>
References: <[🔎] 20020407210256.A29289@linux.wku.edu> <[🔎] 20020407193943.A19738@ece.ubc.ca> <[🔎] 20020407220401.B29479@linux.wku.edu> <[🔎] 20020407201426.A19814@ece.ubc.ca> <[🔎] 20020408052317.GA31996@stradivarius.ressukka.net>

On Mon, Apr 08, 2002 at 08:23:17AM +0300, Sami Haahtinen wrote:
> On Sun, Apr 07, 2002 at 08:14:26PM -0700, Luca Filipozzi wrote:
> > Two choices (I like lists :) ):
> > 
> > (1) use libpam-ldap:
> 
> i recommend this.

I also recommend this.

> > (2) don't use libpam-ldap:
> >     You don't have to use libpam-ldap.  You could just use
> >     libnss-ldap and have the ldap server transfer the password
> >     hashes to the workstations in the clear ... which is equivalent
> >     to NIS.  You could also use libnss-ldap with SSL/TLS so that the
> >     hashes are transferred more securely (equivalent to NIS+).
> 
> i don't recommend the above to anyone (do as i say, not as i do.. =) it
> will cause problems, you are forced to enter the database access
> password to the configuration, which you will then need to make readable
> to root, which in turn forces you to use nscd.

No, you don't.  You can set the ACLs in slapd.conf for userPassword to
'by * read'.  Sure, it's not a good choice.  That's why I said that it
is the equivalent of NIS.

> this also allows crackers to access your userbase, unlike libpam-ldap,
> where you are not forced to allow userpassword read access to the
> database. The cracker just needs to hack this machine, read the password
> from config and voila, ur nt3w0rk has been 0wn3d!

You don't need to put a binddn/bindpw into libnss-ldap if you make
userPassword readable by all.  libnss-ldap can bind anonymously.  It's
NIS-equivalent, however, so if the hashes are weak based on weak
passwords, a dictionary attack is possible (just like NIS).

Also, if you were to use a binddn/bindpw, you wouldn't use the
rootdn/rootpw.

Note for non-LDAP folk: userPassword is the hashed password, not the
cleartext password.

Luca

-- 
Luca Filipozzi, Debian Developer
[dpkg] We are the apt. You will be packaged. Comply.
gpgkey 5A827A2D - A149 97BD 188C 7F29 779E  09C1 3573 32C4 5A82 7A2D


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: NFS, password transparency, and security
  - From: Tarjei Huse <tarjei@nu.no>
- Re: NFS, password transparency, and security
  - From: ressu@ressukka.net (Sami Haahtinen)

References:
- NFS, password transparency, and security
  - From: Rob VanFleet <rvf@linux.wku.edu>
- Re: NFS, password transparency, and security
  - From: Luca Filipozzi <lfilipoz@debian.org>
- Re: NFS, password transparency, and security
  - From: Rob VanFleet <rvf@linux.wku.edu>
- Re: NFS, password transparency, and security
  - From: Luca Filipozzi <lfilipoz@debian.org>
- Re: NFS, password transparency, and security
  - From: ressu@ressukka.net (Sami Haahtinen)

Prev by Date: Re: NFS, password transparency, and security
Next by Date: Re: NFS, password transparency, and security
Previous by thread: Re: NFS, password transparency, and security
Next by thread: Re: NFS, password transparency, and security
Index(es):
- Date
- Thread