[Gllug] LDAP

Alex Hudson home at alexhudson.com
Wed Sep 26 10:11:36 UTC 2001 

On Wednesday 26 September 2001 10:49, you wrote:
> > Single-sign on in the true sense of the word requires Kerberos. I.e.,
> > logon into authentication domain, and automatically be authenticated with
> > any member of the authentication domain.
>
> Agreed, you need something like Kerberos to implement SSO (Novell[1]
> whispers that it's possible using their products too), but for simple
> authentication you don't _need_ it.

But ... we weren't talking about per-server authentication, we were talking 
about single sign-on. For single sign-on you _do_ need it.

> The next question is: do I need SSO? Not often, but it might be useful
> if I didn't use SSH keys from one central machine (no point having my
> private key on every machine I use)

I prefer it. Why should I have to keep typing in my password all over the 
place? SSO is more secure. Kerb' doesn't just do ktelnet/kssh, you can use it 
with pop, imap, etc., etc....

> I was under the impression that W32 liked to resend your password
> across the notwork when you want to use a remote resource. 

Not, not in a Kerberos domain. Windows2000 adheres pretty well to Kerberos. 
Previously, if you wanted to use Linux within a Windows domain (for example) 
then you would either have to send your password across the network (if it 
was an early version of Windows) or participate in NT challenge/response.

> to bet that I've oversimplified and am probably wrong, but it wouldn't
> surprise me if that's the way it worked.

That's the way it works on UNIX too, don't forget.

> > > > Why not store your password as an MD5 string in your LDAP database.
> > > > Then when a user makes a PAM autentication/request just pipe it
> > > > through an MD5 hash first then send over the network. It will give a
> > > > measure of security.
> > >
> > > That's what I do. Works quite nicely.
> >
> > Yes, but not securely, if that _is_ what you actually do. Hashing a
> > password doesn't make it unsniffable I'm afraid. You're just as insecure
> > as plaintext.
>
> It does depend on how hard it is to crack the hashing algorithm, or to
> brute force the password, which is why it provides "a measure of
> security"

No, it doesn't depend on _any_ of those things. If I sniff your MD5'd 
password, I can use that to access your servers. I don't need to 'crack' 
anything. You have _NO_ security from that method whatsoever, it's just like 
telnetting all over the place.

> For now, working in the place I work, I'm willing to trust
> the LAN with a hash of my password. 

Then you may as well trust it with your clear-text password: your methods are 
equivilent.

Cheers,

Alex.

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list