****Re: Linux Administration - Users in (any) database howto/why...

Fri Jan 2 23:36:49 MST 2009

On Fri, Jan 2, 2009 at 6:02 PM, Lisa Kachold <lisakachold at obnosis.com> wrote:
> Correct!  Bingo!  You understand the process.
>
> So, your LDAP server optimally would:
>
> 1) Not have /etc/sudoers wide open (shells disabled, be unable to escape a
> vi to root command shell) and only do a few commands.
> 2) Have good permissions, and/or have no shell or X users with privs.
> 3) Be completely configured and tested, as well as patched to current
> standards.
>

would there be any sense, as an addition to the above, in making the
/etc/ldap.secret a soft link into an encrypted partition - for example
/var/aaa/ldap.secret?
one should take care with ownership and the umask, but I think it
would add a layer of protection - so long as being there for bootups
isn't a problem...

so long as proximity isn't a problem - is this an additional layer of
security worth the trouble?

> And even then.....anyone on the same shared network could decrypt your TLS
> sessions snarfed via promiscious ethernet like any singing bird on the wire
> is heard (using crypt/john).  Add a nice VLAN or layer 3 switch (also well
> configured) and we have a VERY GOOD solution!
>
> Unfortunately, that's the same thing with Microsoft Netbios and other auth,
> while better with encryption, still trivial to intercept and exploit on a
> shared network with Metasploit.
>
> But.....sLDAP integrated well is BETTER than two (or three counting web
> systems) admins adding two or three (or four with LTS) users at every
> change?
>
> www.Obnosis.com |  http://en.wiktionary.org/wiki/Citations:obnosis |
> (503)754-4452
> ________________________________
> January PLUG HackFest = Kristy Westphal, AZ Department of Economic Security
> Forensics @ UAT 1/10/09 12-3PM
>
>
>> Date: Fri, 2 Jan 2009 16:40:20 -0700
>> From: joe at nationnet.com
>> To: plug-discuss at lists.plug.phoenix.az.us
>> Subject: Re: ****Re: Linux Administration - Users in (any) database
>> howto/why...
>>
>> Good point on TLS. The /etc/ldap.secret is where I had the problem. If
>> you put that file on an end users machine, wouldn't they be able to boot
>> into single user mode or sudo and read that file? Doesn't that file
>> provide the keys to the kingdom? Once you have full read access to the
>> directory. can't you read all the user id's and hashes and gain access
>> to every other system? Sorry if this was already a hackfest activity and
>> I missed it.
>>
>> >
>>
>>
>> Craig White wrote:
>> >
>> > ----
>> > ssl support as far as I know, has always been part of LDAP but it has
>> > mostly been deprecated in favor of using TLS. I know that Red Hat
>> > systems still launch both the ldap and ldaps listeners and if you use
>> > TLS, you don't use the ldaps connection. This actually makes sense
>> > because if you 'bind' via encryption, the rest of the data does not need
>> > to incur the overhead of encryption.
>> >
>> >
>>
>> > If you intend to use the system for user authentication, you will have
>> > to create /etc/ldap.secret, chmod it to 0600 and embed a suitable
>> > password that allows you access. Since you have to be root to read the
>> > file, I am not certain what your reservations are because if you are
>> > root, you certainly can do much more than read the LDAP password.
>> >
>> >
>>
>> > Craig
>> >
>> > ---------------------------------------------------
>> > PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> > To subscribe, unsubscribe, or to change your mail settings:
>> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>> >
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> ________________________________
> Life on your PC is safer, easier, and more enjoyable with Windows Vista(R).
> See how
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>