Re: Do I need separate directory instances for Linux authentication and (for example) IMAP authentication?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> On 08/17/2012 12:27 AM, Ray wrote:
> > Steve & Rich:
> >
> > I prefer different passwords because of security concerns: If a user
> > (with both IMAP and SSH access) hacks his/her mail password into a
> > comprimised box (keylogger, for instance, internet café…), then the
> > expected damage would be limited to the mail account only. If the
> same
> > password works for SSH also, then it's possible to screw up all files
> > of that user; worse even, if there is some rights-elevation bug
> around
> > at the time - then the entire box might be at risk.
> >
> > Getting a second set of userpassword attributes then either would
> > require me to run a second instance, or I would have to resort to the
> > likes of sasldb for the mail side of things…
> >
> > Would there be a way to patch some schema file with an extra password
> > attribute ("mailuserpassword")? I have absolutely no clue about
> schema
> > writing though… is there something you can recommend me to read
> (book,
> > website, …) on this topic?
> 
> You could use your own attribute.  But how will the application know
> how to use it?  You cannot use it with an LDAP BIND request since that
> only knows about the userPassword attribute.  So your application would
> have to deal with hashing, comparison, etc. in a secure way.  If you
> really want to go this route, take a look at the schema file
> 05rfc4524.ldif - the simpleSecurityObject objectclass.  You would do
> something similar e.g. create your custom password attribute (by
> copying/altering the definition of the userPassword attribute), then
> create your custom SecurityObject objectclass based on copying/altering
> simpleSecurityObject.  Then you would use ldapmodify to add your custom
> objectclass to every entry that needs it.


Another simple solution here, if you're concerned enough about security to consider setting up something this convoluted, would be to stop accepting passphrases as valid authentication for SSH sessions.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux