[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM concepts

W. Reilly Cooley, Esq. <wcooley@nakedape.cc> wrote:
> Is it really more secure?  Forgive me if I'm missing something here,
> but the effect of setting ACL which prevents anyone from reading the
> hashed password is that the module has to bind to the LDAP server as
> the user, which requires passing their password in clear text over
> the network, which then passes the hashed password from the directory
> object back.  In that case, why bother hashing, except as a defense
> against misconfigured ACLs?  Note that I'm assuming that the LDAP server
> is only accessible on a private LAN, where any host has access to the
> network for sniffing.  Of course, this should be moot in a few months
> when OpenLDAP 2 is released with SSL/TLS support.

> Wil

That is known fact:
--------README from pam-ldap------
| pam_ldap is only secure if used with a secure SASL mechanism (like
| CRAM-MD5) or with transport security (like SSL/TLS). With simple
| authentication, it is less secure than using UNIX hashed passwords,
| because the LDAP bind request sends the password in the clear.
You can use stunnel on the LDAP-server and on the client
(stunnel -c -r ldap.server:636 -d 389 -- ldapclear and block
"ldapclear" in hosts.{allow,deny} for anyone but LOCAL)
to protect against packet-sniffing.
         cu andreas
Andreas Metzler, Wien                         |
ametzler@downhill.at.eu.org                   |

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []