Lamont R. Peterson wrote:
The correct solution is simply this: DO NOT add root (uid == 0) authentication
credentials in your central authentication stores. If you already have root
credentials in there, GET THEM OUT OF THERE. root should only be able to
authenticate locally on every single box. The security danger of not
following this policy can be quite high.
I agree, but I think the correct solution is getting the clients not
to trust their LDAP server when authenticating uid=0.
Just removing root from the directory isn't going to make clients more
secure. IP spoofing and other tricks can be used to fake another LDAP
server with a root account. Of course you may be using TLS and
install SSL certificates on every clients, but I doubt any busy
system administrator would go this far to protect *clients* on the LAN.
That said, it still might not be a bad idea to implement the extra config line
that Tomas Mraz suggested, earlier...as an extra protection measure. The
disadvantage of adding it is that you will have to do so on all systems you
want to have connected to your central authentication store (LDAP, Kerberos,
whatever).
Perhaps it should be added to the default PAM configuration for FC5. I would
vote for that.
I'd vote for that too.
Maybe this other project would be more appropriate:
http://sourceforge.net/projects/pam-ssh-agent/
PAM module that spawns a ssh-agent and adds identities using the
password supplied at login.
I like this. It would be nice if FC5 would ship pam-ssh-agent. I'll vote for
it :).
Good. Who should we bug to get it into FC5? :-)
--
// Bernardo Innocenti - Develer S.r.l., R&D dept.
\X/ http://www.develer.com/
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
