[sudo-users] sudo SSL Solaris

Huibert.Kivits at mail.ing.nl Huibert.Kivits at mail.ing.nl
Wed Jun 14 10:32:58 EDT 2006

Hi Beate,

Most important is that user authentication takes places via SSL. The sudo channel in itself will not communicate any user passwords, so the security implications of not using SSL are quite limited.

The only password that is communicated over the sudo channel itself is the password of the user under which the bind is performed, i.e. the bind user you have configured in you sudo ldap.conf file. This should be rather trivial. If you have done it right, this user only has the authorization to read sudo authorizations from within the LDAP directory.

The sudo authorizatons themselves will be sniffable as well, but that shouldn't worry you either.

I'd recommend you to accept this risk. Be sure you have implemented SSL for user authentication though.

Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen / Med vänliga hälsningar / nuosirdziausi linkejimai,

Huibert Kivits

"...all too often, when organizations develop information security programs, they treat security issues as a simple 'check-box' on the list of required corporate functions."
Richard Forno & Kenneth R van Wyk, "Incident Response", O'Reilly, 2001, ISBN: 0-596-00130-4

-----Oorspronkelijk bericht-----
Van: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] Namens Beate.Kleymann at HVBIS.com
Verzonden: woensdag 14 juni 2006 14:31
Aan: sudo-users at sudo.ws
Onderwerp: [sudo-users] sudo SSL Solaris

Hello !

I try to get sudo with pam and ldap support plus ssl working. We have Solaris 8 and 9 native clients. Users authenticate using Sun One Directory Server 5.2

Next we would like to migrate our sudoers information into the Directory Server.

I was able to compile sudo-1.6.8p8 with ldap and pam support:
# ./configure --with-ldap=/usr --with-pam

Everything works fine as long as I don't use SSL.
If I turn on SSL in the /etc/ldap.conf sudo will not work any more.

I tried different Entries in the ldap.conf
bash-2.05$ more /etc/ldap.conf 
host ldaptest.intranet.hypovereinsbank.de
port 636
sudoers_base ou=sudoers,dc=tsy2,dc=hvb,dc=de
binddn uid=XXXXXX,ou=People,dc=hvb,dc=de
bindpw XXXXXX
tls_checkpeer yes
tls_cacertdir /var/ldap
#tls_cert /var/ldap/cert7.db
#tls_key /var/ldap/key3.db
sudoers_debug 2

Using SSL the sudo will hang. It is not reading out the SSL Parameters from the ldap.conf file.

bash-2.05$ ./sudo /usr/sbin/ifconfig -a
LDAP Config Summary
host         ldaptest.intranet.hypovereinsbank.de
port         636
ldap_version 3
sudoers_base ou=sudoers,dc=tsy2,dc=hvb,dc=de
binddn       uid=XXXXXX,ou=People,dc=hvb,dc=de
bindpw       XXXXXX

libs used:
bash-2.05$ ldd ./sudo
        libpam.so.1 =>   /usr/lib/libpam.so.1
        libdl.so.1 =>    /usr/lib/libdl.so.1
        libldap.so.5 =>  /usr/lib/libldap.so.5
        libsocket.so.1 =>        /usr/lib/libsocket.so.1
        libnsl.so.1 =>   /usr/lib/libnsl.so.1
        libc.so.1 =>     /usr/lib/libc.so.1
        libcmd.so.1 =>   /usr/lib/libcmd.so.1
        librt.so.1 =>    /usr/lib/librt.so.1
        libmd5.so.1 =>   /usr/lib/libmd5.so.1
        libmp.so.2 =>    /usr/lib/libmp.so.2
        libaio.so.1 =>   /usr/lib/libaio.so.1

I tried to find a solution in the mailing list archive, but I'm still not sure if it is possible to use SSL with native solaris ldap clients or not. Security is very strikt and I'm afraid we are not allowed to transfer sudo entries over the network without using SSL. I'm quite familiar with the Directory Server but I don't have enough knowledge how sudo works.

Your help would be much appreciated.

Best Regards,

sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.

Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.

More information about the sudo-users mailing list