[sudo-users] tls +ldap + sudo = no go?

Huibert.Kivits at mail.ing.nl Huibert.Kivits at mail.ing.nl
Mon May 22 06:49:41 EDT 2006


When recommending to use "SSL for authentication and not for sudo", I was referring to Solaris and AIX. Both have their own LDAP client. We're currently not managing Linux machines yet, so we do not have experience with nss-ldap.

The point I tried to make is that, at least in our situation, using SSL/TLS for sudo does not have much added value. When the sudo client retrieves information from the LDAP server, no user passwords are communicated over this sudo channel. Well, apart from the user you've configured to bind to the LDAP server of course, in your ldap.conf file.

If the user needs to authenticate when trying to use a particular sudo command, the user's password will be sent over the LDAP client channel (nss-ldap in your case) and not over the sudo client channel. Authentication will take place in an encrypted way, as long as you have configured the LDAP client (nss-ldap in your case) to work with SSL/TLS.

If the user is not defined in LDAP but locally, verification of the user's password will take place locally. Again, the sudo/ldap client will not communicate the user's password with the LDAP server. 

So, maybe sudo/ldap works with SSL/TLS. Or maybe not. But frankly, IMHO, from a security point of view, there is not much to gain from using sudo in combination with SSL/TLS.

Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen / Med vänliga hälsningar / nuosirdziausi linkejimai,

Huibert Kivits
Locatiecode NA 00.92
T (020) 563 73 33, F (020) 563 70 02
E Huibert.Kivits at mail.ing.nl

"...all too often, when organizations develop information security programs, they treat security issues as a simple 'check-box' on the list of required corporate functions."
Richard Forno & Kenneth R van Wyk, "Incident Response", O'Reilly, 2001, ISBN: 0-596-00130-4

-----Oorspronkelijk bericht-----
Van: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] Namens Natxo Asenjo
Verzonden: zondag 21 mei 2006 22:42
Aan: sudo-users at sudo.ws
Onderwerp: [sudo-users] tls +ldap + sudo = no go?


after succeeding in compiling sudo --with-ldap --with-pam (I needed the pam-devel package) I have come across this problem. If I do not use tls in /etc/ldap.conf, then sudo works perfectly. If I do use tls (which is a must) then I get

sudo: uid 1000 does not exist in the passwd file!

a quick google search reveals that this is a known 'problem|feature'.  In this thread http://article.gmane.org/gmane.comp.tools.sudo.user/1659
Huibert Kivits suggests to use SSL for authentication and not for sudo. How does one do this? I thought that all went through nss-ldap.

So, is it impossible to use sudo + ldap + tls/ssl at this moment?
J.Asenjo ____________________________________________________________ 
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.

Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.

More information about the sudo-users mailing list