****Re: Linux Administration - Users in (any) database howto/why...
Lisa Kachold
lisakachold at obnosis.com
Fri Jan 2 18:02:35 MST 2009
Correct! Bingo! You understand the process.
So, your LDAP server optimally would:
1) Not have /etc/sudoers wide open (shells disabled, be unable to escape a vi to root command shell) and only do a few commands.
2) Have good permissions, and/or have no shell or X users with privs.
3) Be completely configured and tested, as well as patched to current standards.
And even then.....anyone on the same shared network could decrypt your TLS sessions snarfed via promiscious ethernet like any singing bird on the wire is heard (using crypt/john). Add a nice VLAN or layer 3 switch (also well configured) and we have a VERY GOOD solution!
Unfortunately, that's the same thing with Microsoft Netbios and other auth, while better with encryption, still trivial to intercept and exploit on a shared network with Metasploit.
But.....sLDAP integrated well is BETTER than two (or three counting web systems) admins adding two or three (or four with LTS) users at every change?
www.Obnosis.com | http://en.wiktionary.org/wiki/Citations:obnosis | (503)754-4452
January PLUG HackFest = Kristy Westphal, AZ Department of Economic Security Forensics @ UAT 1/10/09 12-3PM
> Date: Fri, 2 Jan 2009 16:40:20 -0700
> From: joe at nationnet.com
> To: plug-discuss at lists.plug.phoenix.az.us
> Subject: Re: ****Re: Linux Administration - Users in (any) database howto/why...
>
> Good point on TLS. The /etc/ldap.secret is where I had the problem. If
> you put that file on an end users machine, wouldn't they be able to boot
> into single user mode or sudo and read that file? Doesn't that file
> provide the keys to the kingdom? Once you have full read access to the
> directory. can't you read all the user id's and hashes and gain access
> to every other system? Sorry if this was already a hackfest activity and
> I missed it.
>
> >
>
>
> Craig White wrote:
> >
> > ----
> > ssl support as far as I know, has always been part of LDAP but it has
> > mostly been deprecated in favor of using TLS. I know that Red Hat
> > systems still launch both the ldap and ldaps listeners and if you use
> > TLS, you don't use the ldaps connection. This actually makes sense
> > because if you 'bind' via encryption, the rest of the data does not need
> > to incur the overhead of encryption.
> >
> >
>
> > If you intend to use the system for user authentication, you will have
> > to create /etc/ldap.secret, chmod it to 0600 and embed a suitable
> > password that allows you access. Since you have to be root to read the
> > file, I am not certain what your reservations are because if you are
> > root, you certainly can do much more than read the LDAP password.
> >
> >
>
> > Craig
> >
> > ---------------------------------------------------
> > PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> > To subscribe, unsubscribe, or to change your mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
_________________________________________________________________
Life on your PC is safer, easier, and more enjoyable with Windows Vista®.
http://clk.atdmt.com/MRT/go/127032870/direct/01/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090103/9e168b1f/attachment.htm
More information about the PLUG-discuss
mailing list