[sudo-users] sudo SSL Solaris
Huibert.Kivits at mail.ing.nl
Huibert.Kivits at mail.ing.nl
Wed Jun 14 10:32:58 EDT 2006
Most important is that user authentication takes places via SSL. The sudo channel in itself will not communicate any user passwords, so the security implications of not using SSL are quite limited.
The only password that is communicated over the sudo channel itself is the password of the user under which the bind is performed, i.e. the bind user you have configured in you sudo ldap.conf file. This should be rather trivial. If you have done it right, this user only has the authorization to read sudo authorizations from within the LDAP directory.
The sudo authorizatons themselves will be sniffable as well, but that shouldn't worry you either.
I'd recommend you to accept this risk. Be sure you have implemented SSL for user authentication though.
Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen / Med vänliga hälsningar / nuosirdziausi linkejimai,
"...all too often, when organizations develop information security programs, they treat security issues as a simple 'check-box' on the list of required corporate functions."
Richard Forno & Kenneth R van Wyk, "Incident Response", O'Reilly, 2001, ISBN: 0-596-00130-4
Van: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] Namens Beate.Kleymann at HVBIS.com
Verzonden: woensdag 14 juni 2006 14:31
Aan: sudo-users at sudo.ws
Onderwerp: [sudo-users] sudo SSL Solaris
I try to get sudo with pam and ldap support plus ssl working. We have Solaris 8 and 9 native clients. Users authenticate using Sun One Directory Server 5.2
Next we would like to migrate our sudoers information into the Directory Server.
I was able to compile sudo-1.6.8p8 with ldap and pam support:
# ./configure --with-ldap=/usr --with-pam
Everything works fine as long as I don't use SSL.
If I turn on SSL in the /etc/ldap.conf sudo will not work any more.
I tried different Entries in the ldap.conf
bash-2.05$ more /etc/ldap.conf
Using SSL the sudo will hang. It is not reading out the SSL Parameters from the ldap.conf file.
bash-2.05$ ./sudo /usr/sbin/ifconfig -a
LDAP Config Summary
bash-2.05$ ldd ./sudo
libpam.so.1 => /usr/lib/libpam.so.1
libdl.so.1 => /usr/lib/libdl.so.1
libldap.so.5 => /usr/lib/libldap.so.5
libsocket.so.1 => /usr/lib/libsocket.so.1
libnsl.so.1 => /usr/lib/libnsl.so.1
libc.so.1 => /usr/lib/libc.so.1
libcmd.so.1 => /usr/lib/libcmd.so.1
librt.so.1 => /usr/lib/librt.so.1
libmd5.so.1 => /usr/lib/libmd5.so.1
libmp.so.2 => /usr/lib/libmp.so.2
libaio.so.1 => /usr/lib/libaio.so.1
I tried to find a solution in the mailing list archive, but I'm still not sure if it is possible to use SSL with native solaris ldap clients or not. Security is very strikt and I'm afraid we are not allowed to transfer sudo entries over the network without using SSL. I'm quite familiar with the Directory Server but I don't have enough knowledge how sudo works.
Your help would be much appreciated.
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.
More information about the sudo-users