[389-users] Do I need separate directory instances for Linux authentication and (for example) IMAP authentication?
Morris, Patrick
patrick.morris at hp.com
Fri Aug 17 20:39:45 UTC 2012
> On 08/17/2012 12:27 AM, Ray wrote:
> > Steve & Rich:
> >
> > I prefer different passwords because of security concerns: If a user
> > (with both IMAP and SSH access) hacks his/her mail password into a
> > comprimised box (keylogger, for instance, internet café…), then the
> > expected damage would be limited to the mail account only. If the
> same
> > password works for SSH also, then it's possible to screw up all files
> > of that user; worse even, if there is some rights-elevation bug
> around
> > at the time - then the entire box might be at risk.
> >
> > Getting a second set of userpassword attributes then either would
> > require me to run a second instance, or I would have to resort to the
> > likes of sasldb for the mail side of things…
> >
> > Would there be a way to patch some schema file with an extra password
> > attribute ("mailuserpassword")? I have absolutely no clue about
> schema
> > writing though… is there something you can recommend me to read
> (book,
> > website, …) on this topic?
>
> You could use your own attribute. But how will the application know
> how to use it? You cannot use it with an LDAP BIND request since that
> only knows about the userPassword attribute. So your application would
> have to deal with hashing, comparison, etc. in a secure way. If you
> really want to go this route, take a look at the schema file
> 05rfc4524.ldif - the simpleSecurityObject objectclass. You would do
> something similar e.g. create your custom password attribute (by
> copying/altering the definition of the userPassword attribute), then
> create your custom SecurityObject objectclass based on copying/altering
> simpleSecurityObject. Then you would use ldapmodify to add your custom
> objectclass to every entry that needs it.
Another simple solution here, if you're concerned enough about security to consider setting up something this convoluted, would be to stop accepting passphrases as valid authentication for SSH sessions.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6231 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120817/7a9f0502/attachment.bin>
More information about the 389-users
mailing list