On Fri, Jan 2, 2009 at 6:02 PM, Lisa Kachold wrote: > Correct! Bingo! You understand the process. > > So, your LDAP server optimally would: > > 1) Not have /etc/sudoers wide open (shells disabled, be unable to escape a > vi to root command shell) and only do a few commands. > 2) Have good permissions, and/or have no shell or X users with privs. > 3) Be completely configured and tested, as well as patched to current > standards. > would there be any sense, as an addition to the above, in making the /etc/ldap.secret a soft link into an encrypted partition - for example /var/aaa/ldap.secret? one should take care with ownership and the umask, but I think it would add a layer of protection - so long as being there for bootups isn't a problem... so long as proximity isn't a problem - is this an additional layer of security worth the trouble? > And even then.....anyone on the same shared network could decrypt your TLS > sessions snarfed via promiscious ethernet like any singing bird on the wire > is heard (using crypt/john). Add a nice VLAN or layer 3 switch (also well > configured) and we have a VERY GOOD solution! > > Unfortunately, that's the same thing with Microsoft Netbios and other auth, > while better with encryption, still trivial to intercept and exploit on a > shared network with Metasploit. > > But.....sLDAP integrated well is BETTER than two (or three counting web > systems) admins adding two or three (or four with LTS) users at every > change? > > www.Obnosis.com | http://en.wiktionary.org/wiki/Citations:obnosis | > (503)754-4452 > ________________________________ > January PLUG HackFest = Kristy Westphal, AZ Department of Economic Security > Forensics @ UAT 1/10/09 12-3PM > > >> Date: Fri, 2 Jan 2009 16:40:20 -0700 >> From: joe@nationnet.com >> To: plug-discuss@lists.plug.phoenix.az.us >> Subject: Re: ****Re: Linux Administration - Users in (any) database >> howto/why... >> >> Good point on TLS. The /etc/ldap.secret is where I had the problem. If >> you put that file on an end users machine, wouldn't they be able to boot >> into single user mode or sudo and read that file? Doesn't that file >> provide the keys to the kingdom? Once you have full read access to the >> directory. can't you read all the user id's and hashes and gain access >> to every other system? Sorry if this was already a hackfest activity and >> I missed it. >> >> > >> >> >> Craig White wrote: >> > >> > ---- >> > ssl support as far as I know, has always been part of LDAP but it has >> > mostly been deprecated in favor of using TLS. I know that Red Hat >> > systems still launch both the ldap and ldaps listeners and if you use >> > TLS, you don't use the ldaps connection. This actually makes sense >> > because if you 'bind' via encryption, the rest of the data does not need >> > to incur the overhead of encryption. >> > >> > >> >> > If you intend to use the system for user authentication, you will have >> > to create /etc/ldap.secret, chmod it to 0600 and embed a suitable >> > password that allows you access. Since you have to be root to read the >> > file, I am not certain what your reservations are because if you are >> > root, you certainly can do much more than read the LDAP password. >> > >> > >> >> > Craig >> > >> > --------------------------------------------------- >> > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >> > To subscribe, unsubscribe, or to change your mail settings: >> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >> > >> --------------------------------------------------- >> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >> To subscribe, unsubscribe, or to change your mail settings: >> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > ________________________________ > Life on your PC is safer, easier, and more enjoyable with Windows Vista(R). > See how > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss