[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM concepts (was: pam_{unix,pwdb}: crypt/md5 necessary?)



On Thu, Aug 03, 2000 at 04:00:20PM -0400, Nalin Dahyabhai wrote:
> 
> > Is this how the pam_ldap module works?  I don't know if it has an 'auth' mode
> > as well (perhaps there's a more secure way to authenticate against LDAP than
> > by sending the password with getpwnam()).
> 
> Yes, it does.  The auth module attempts to do a simple bind to the
> configured LDAP server as the user being authenticated, because a server
> that's configured with the least amount of security in mind won't send
> out the contents of a user's crypted password field.
> 

Is it really more secure?  Forgive me if I'm missing something here,
but the effect of setting ACL which prevents anyone from reading the
hashed password is that the module has to bind to the LDAP server as
the user, which requires passing their password in clear text over
the network, which then passes the hashed password from the directory
object back.  In that case, why bother hashing, except as a defense
against misconfigured ACLs?  Note that I'm assuming that the LDAP server
is only accessible on a private LAN, where any host has access to the
network for sniffing.  Of course, this should be moot in a few months
when OpenLDAP 2 is released with SSL/TLS support.

Wil
-- 
W. Reilly Cooley                         wcooley@nakedape.cc
Naked Ape Consulting                      http://nakedape.cc
LNXS: Linux/GNU for servers, networks, and   http://lnxs.org
people who take care of them.  *Now with integrated crypto!*
irc.openprojects.net                                   #lnxs

The most costly of all follies is to believe passionately in the palpably
not true.  It is the chief occupation of mankind.
		-- H.L. Mencken





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []