[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pam_password exop

Le 12/09/2012 16:59, teoman.onay@degroof.be a écrit :
Does this mean that the password is sent clear to the ldap server then
hashed over there ? It looks like a huge security flaw ...
I'd wouldn't be so affirmative.

First, by externalising confidentialy support on the transport layer, you're building on a known and proved protocol, instead of reininventing the wheel.

Second, sending password hashes in cleartext wouldn't qualify for a good security practice either...

i've used tcpdump and unfortunately my password appears clearly ...
using does imply enabling TLS ?
If you're concerned about the network traffic between your ldap server and clients, absolutly. If they are both on a private admin-only network, for instance, it would not be so much necessary.

You can easily make encryption usage mandatory for accessing the password attribute (and other similar sensible ones) using ACLs. For instance:
access to dn.subtree="dc=exemple,dc=comfr" attrs=userPassword
    by self ssf=56 write
    by anonymous ssf=56 auth
    by * none

It does not prevent an unsuspicious user to send its password in cleartext, but it makes it useless, so largely less likely to appear in working configuration.

BOFH excuse #221:

The mainframe needs to rest.  It's getting old, you know.