From owner-freebsd-stable@FreeBSD.ORG Tue Jul 16 02:45:01 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 86735AFE for ; Tue, 16 Jul 2013 02:45:01 +0000 (UTC) (envelope-from deischen@freebsd.org) Received: from mail.netplex.net (mail.netplex.net [204.213.176.9]) by mx1.freebsd.org (Postfix) with ESMTP id 32C03952 for ; Tue, 16 Jul 2013 02:45:00 +0000 (UTC) Received: from sea.ntplx.net (sea.ntplx.net [204.213.176.11]) by mail.netplex.net (8.14.6/8.14.6/NETPLEX) with ESMTP id r6G2j0Xr063415; Mon, 15 Jul 2013 22:45:00 -0400 X-Virus-Scanned: by AMaViS and Clam AntiVirus (mail.netplex.net) X-Greylist: Message whitelisted by DRAC access database, not delayed by milter-greylist-4.4.1 (mail.netplex.net [204.213.176.9]); Mon, 15 Jul 2013 22:45:00 -0400 (EDT) Date: Mon, 15 Jul 2013 22:45:00 -0400 (EDT) From: Daniel Eischen X-X-Sender: eischen@sea.ntplx.net To: Jan Bramkamp Subject: Re: LDAP authentication confusion In-Reply-To: <51E4B0F9.5050200@rlwinm.de> Message-ID: References: <1373915752.13754.140661255962197.3CA2BD96@webmail.messagingengine.com> <20130715224748.GA45649@anubis.morrow.me.uk> <51E480C3.50008@rlwinm.de> <51E4B0F9.5050200@rlwinm.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Daniel Eischen List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Jul 2013 02:45:01 -0000 On Tue, 16 Jul 2013, Jan Bramkamp wrote: > On 16.07.2013 04:28, Daniel Eischen wrote: >> On Tue, 16 Jul 2013, Jan Bramkamp wrote: >> >>> On 16.07.2013 00:47, Ben Morrow wrote: >>>> Quoth Jan Bramkamp : >>>>> On 15.07.2013 21:51, Daniel Eischen wrote: >>>>>> >>>>>> Wouldn't it be easier just to edit /etc/nsswitch.conf >>>>>> anyway? >>>>> PAM and NSS switch are two different subsystems. NSS is just for >>>>> resource lookups (users, groups, hosts, ...). PAM is for access >>>>> control. >>>>> >>>>> With ldap in nsswitch.conf for users and groups you can lookup a LDAP >>>>> user but the user can't log into $service through PAM. This requires >>>>> pam_ldap.so in pam.d/$service. >>>> >>>> The default pam_unix.so calls getpwent, so if nss_ldap returns cryptable >>>> passwords in its result I think pam_unix can authenticate against those. >>>> >>>> This is not the same as authenticating by LDAP bind, but may end up >>>> accepting the same passwords. >>> >>> If you want every process to read your hashed passwords and you use >>> non-portable crypt hashes it could work. The correct solution would be >>> authenticate users by LDAP binds without allowing anyone to read the >>> password or to use the {SASL} password style and authenticate users >>> against Kerberos with saslauthd. Just don't let you users play with >>> passwords. Either your password policy allows dumb users to pick trivial >>> password or it forces complex password structures on them resulting in >>> post-it notes with passwords around every second desk. >> >> I think something is lost on me here. getpwent/getpwuid do >> not return the password hashes in the returned struct passwd >> unless the calling process is root. So you have to be root in >> order to see the hashes anyway. Not all users are going to >> have access to the hashes, unless your machine's compromised >> or otherwise allows root privileges to others. >> > If the crypted password can be read by an LDAP client with the > information available to every process in (nss_)ldap.conf you're crypted > passwords are easily accessible for offline attacks. Their is no reason > for an attacker to go through the getpwent/getpwuid API. The root bind password is kept in a separate file that only root has read rights to. I don't think the password hashes are available when binding anonymously or through the proxy agent. -- DE