From owner-freebsd-stable@FreeBSD.ORG  Tue Jul 16 03:45:11 2013
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id 8460C551
 for <freebsd-stable@freebsd.org>; Tue, 16 Jul 2013 03:45:11 +0000 (UTC)
 (envelope-from deischen@freebsd.org)
Received: from mail.netplex.net (mail.netplex.net [204.213.176.9])
 by mx1.freebsd.org (Postfix) with ESMTP id 4A003C23
 for <freebsd-stable@freebsd.org>; Tue, 16 Jul 2013 03:45:10 +0000 (UTC)
Received: from sea.ntplx.net (sea.ntplx.net [204.213.176.11])
 by mail.netplex.net (8.14.6/8.14.6/NETPLEX) with ESMTP id r6G3j9kh035164;
 Mon, 15 Jul 2013 23:45:09 -0400
X-Virus-Scanned: by AMaViS and Clam AntiVirus (mail.netplex.net)
X-Greylist: Message whitelisted by DRAC access database, not delayed by
 milter-greylist-4.4.1 (mail.netplex.net [204.213.176.9]);
 Mon, 15 Jul 2013 23:45:09 -0400 (EDT)
Date: Mon, 15 Jul 2013 23:45:09 -0400 (EDT)
From: Daniel Eischen <deischen@freebsd.org>
X-X-Sender: eischen@sea.ntplx.net
To: Jan Bramkamp <crest@rlwinm.de>
Subject: Re: LDAP authentication confusion
In-Reply-To: <Pine.GSO.4.64.1307152240280.10981@sea.ntplx.net>
Message-ID: <Pine.GSO.4.64.1307152335380.10981@sea.ntplx.net>
References: <Pine.GSO.4.64.1307151438370.8901@sea.ntplx.net>
 <CAHDg04v8xV-yaCXDzSbOzWEvHRMhDy8x0A=B2eho4iK4b1UuJA@mail.gmail.com>
 <Pine.GSO.4.64.1307151507130.8901@sea.ntplx.net>
 <1373915752.13754.140661255962197.3CA2BD96@webmail.messagingengine.com>
 <Pine.GSO.4.64.1307151550030.8901@sea.ntplx.net>
 <20130715224748.GA45649@anubis.morrow.me.uk>
 <51E480C3.50008@rlwinm.de> <Pine.GSO.4.64.1307152220100.10981@sea.ntplx.net>
 <51E4B0F9.5050200@rlwinm.de> <Pine.GSO.4.64.1307152240280.10981@sea.ntplx.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: freebsd-stable@freebsd.org
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
Reply-To: Daniel Eischen <deischen@freebsd.org>
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2013 03:45:11 -0000

On Mon, 15 Jul 2013, Daniel Eischen wrote:

> On Tue, 16 Jul 2013, Jan Bramkamp wrote:
>
>> On 16.07.2013 04:28, Daniel Eischen wrote:
[ ... ]
>>> 
>>> I think something is lost on me here.  getpwent/getpwuid do
>>> not return the password hashes in the returned struct passwd
>>> unless the calling process is root.  So you have to be root in
>>> order to see the hashes anyway.  Not all users are going to
>>> have access to the hashes, unless your machine's compromised
>>> or otherwise allows root privileges to others.
>>> 
>> If the crypted password can be read by an LDAP client with the
>> information available to every process in (nss_)ldap.conf you're crypted
>> passwords are easily accessible for offline attacks. Their is no reason
>> for an attacker to go through the getpwent/getpwuid API.
>
> The root bind password is kept in a separate file that only
> root has read rights to.  I don't think the password hashes
> are available when binding anonymously or through the proxy
> agent.

I guess I was wrong - it seems the proxy agent by default
(at least with Oracle DSEE7) has read access to the userPassword
attribute.  I'll have to try adding an ACI, as suggested by
Michael Butler, to restrict that.

-- 
DE