[TriLUG] LDAP Question

Tanner Lovelace lovelace at wayfarer.org
Tue Aug 20 14:00:32 EDT 2002


On Tue, 2002-08-20 at 13:26, Michael Alan Dorman wrote:

> Weeeeeell, you can use access controls to restrict access to the
> userPassword attribute, and pretend that it's secure. :-)
> 
> Actually---and I'm embarassed to admit that I haven't done the
> research to know where the magic's happening---when I drop something
> in a userPassword attribute it gets encrypted automatically.  Or maybe
> it's Net::LDAP doing it.  Must investigate.

Actually, any time the password goes over the net it *should* 
be encrypted (if not, it's a HUGE security hole).  Still, however,
the encrypted password can be caught and techniques can be used
to try to decrypt it.  The main reason I went with kerberos
was that it almost never sends passwords of any kind over the
network.  Also, anything it does send over the network expires
in a short amount of time.  So, if someone does capture something,
it's still only good for about 4 hours, which is hopefully shorter
than it would take to brute force decrypt it.
 
> Definitely beyond expectation, given my address. :-)

Doh!  I hadn't even looked at that. :-)  Well, you'll be happy
to know, though, that the new TriLUG redhat systems use apt (rpm)
for all their package management.  Apt is very nice and it seems
to do everything up2date does without needing to register (or
setup a current server).
 
> I'll see if I can't get something by the end of the week.  I kind of
> need these for other uses, so this is as good an excuse as any.

Cool!  Thanks very much!

> Has anyone ever actually seen a /etc/default/useradd file in the wild?
> Anyone know the format?  Ideally I'd be able to pull the same defaults
> information as regular useradd, but nothing seems to document the
> format the defaults are stored in...and I'm not sufficiently motivated
> to go grovelling through source right at the moment...

Well, you could pull a source rpm from redhat, use rpm2cpio to
extract it and then tar/gunzip the source and look at what 
it does?

Tanner
-- 
Tanner Lovelace | lovelace at wayfarer.org | http://wtl.wayfarer.org/
--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--
GPG Fingerprint = A66C 8660 924F 5F8C 71DA  BDD0 CE09 4F8E DE76 39D4
GPG Key can be found at http://wtl.wayfarer.org/lovelace.gpg.asc
--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--
          Si hoc legere scis, nimium eruditionis habes.




More information about the TriLUG mailing list