LDAP authentication confusion
Daniel Eischen
deischen at freebsd.org
Tue Jul 16 03:45:11 UTC 2013
On Mon, 15 Jul 2013, Daniel Eischen wrote:
> On Tue, 16 Jul 2013, Jan Bramkamp wrote:
>
>> On 16.07.2013 04:28, Daniel Eischen wrote:
[ ... ]
>>>
>>> I think something is lost on me here. getpwent/getpwuid do
>>> not return the password hashes in the returned struct passwd
>>> unless the calling process is root. So you have to be root in
>>> order to see the hashes anyway. Not all users are going to
>>> have access to the hashes, unless your machine's compromised
>>> or otherwise allows root privileges to others.
>>>
>> If the crypted password can be read by an LDAP client with the
>> information available to every process in (nss_)ldap.conf you're crypted
>> passwords are easily accessible for offline attacks. Their is no reason
>> for an attacker to go through the getpwent/getpwuid API.
>
> The root bind password is kept in a separate file that only
> root has read rights to. I don't think the password hashes
> are available when binding anonymously or through the proxy
> agent.
I guess I was wrong - it seems the proxy agent by default
(at least with Oracle DSEE7) has read access to the userPassword
attribute. I'll have to try adding an ACI, as suggested by
Michael Butler, to restrict that.
--
DE
More information about the freebsd-stable
mailing list