[Date Prev][Date Next]
Re: pam_password exop
- To: firstname.lastname@example.org
- Subject: Re: pam_password exop
- From: Guillaume Rousse <email@example.com>
- Date: Wed, 12 Sep 2012 17:26:24 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=/wQBiIP7yzfXsr1TU8dud8yCwvtsNJFm/kW2u0qG5G4=; b=kJyWao3lNCoPLn/XY+B64V7PzZsZLwa2QaVPW0JVBnCdNTc3JErPodhBK8rSdXcMPB BVw59jQd1YZDZmbFAYOcuvgVJ+uH9uEi+z3BtiDjckE+Uc/ORgujRaW3JuWD+nKS5Hbp IgrVaZmDCLdkPxalJdnhvRkDaDyY/qz/911km3SEmdYmGjnaHDyAvj04daXW6uTfVO6G Ic52wizW29TLGanP0H80X1NrGbn9LIJY9DEQz1nEOR/PSUnPzRubHVCSe6jdS0ojkZRr b8K5+UXShv0uVDEQhXFbNf6tIHRjhTJxcOHPWh5YsN4q4JELIvaM/wJteYAyU4yGiY71 AomQ==
- In-reply-to: <OF89B9595C.C5C407B9-ONC1257A77.004F6F73-C1257A77.00525CCB@degroof.be>
- References: <OF89B9595C.C5C407B9-ONC1257A77.004F6F73-C1257A77.00525CCB@degroof.be>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120909 Thunderbird/15.0.1
Le 12/09/2012 16:59, firstname.lastname@example.org a écrit :
Does this mean that the password is sent clear to the ldap server then
hashed over there ? It looks like a huge security flaw ...
I'd wouldn't be so affirmative.
First, by externalising confidentialy support on the transport layer,
you're building on a known and proved protocol, instead of reininventing
Second, sending password hashes in cleartext wouldn't qualify for a good
security practice either...
If you're concerned about the network traffic between your ldap server
and clients, absolutly. If they are both on a private admin-only
network, for instance, it would not be so much necessary.
i've used tcpdump and unfortunately my password appears clearly ...
using does imply enabling TLS ?
You can easily make encryption usage mandatory for accessing the
password attribute (and other similar sensible ones) using ACLs. For
access to dn.subtree="dc=exemple,dc=comfr" attrs=userPassword
by self ssf=56 write
by anonymous ssf=56 auth
by * none
It does not prevent an unsuspicious user to send its password in
cleartext, but it makes it useless, so largely less likely to appear in
BOFH excuse #221:
The mainframe needs to rest. It's getting old, you know.