[sudo-users] LDAP Password Security

Grant Taylor gtaylor at tnetconsulting.net
Mon Apr 6 20:27:34 MDT 2020 

On 4/6/20 5:10 PM, LE BOUTER Leo wrote:
> Hello,

Hi,

> I am looking to use LDAP with sudo but I am concerned about the 
> idea of every server having access to the user's LDAP password at 
> authentication time.

I am having trouble unpacking what your concern is.

  - What is running on the server at authentication time that would have 
access to the user's LDAP password?
  - Are you trying to have LDAP bind to the LDAP server as the user in 
question to test said user's password validity?

> Is there any alternative ways of authenticating?

(See above.)

There are many ways to authenticate various different things to various 
different other things.  It really depends what each of the things are.

> Considering most if not all my users will reach the server though SSH, 
> is there a way to re-use the GSSAPI/Kerberos facility here?

Does GSSAPIDelegateCredentials / -K do what you want?

Are you using Kerberos (GSSAPI) to authenticate the client to the server?

I have used Kerberos to have users authenticate their LDAP clients to 
the LDAP server.  This sounds similar to what you might be wanting.

> It would give me greater peace of mind if instead of their password 
> a temporary "kerberos token" specific to their current SSH session 
> was used.

I'm not fluent in Kerberos, but I think that you can get fancy with the 
tokens and restrict access to specific tokens.

Elephant in the room:  What does any of this have to do with sudo?

The last time I looked into authenticating a user to sudo using 
Kerberos, I found that it had been removed for some reason.

Perhaps it was that sudo had removed direct Kerberos support in favor of 
relying on PAM to provide the Kerberos support.

I know that the following is possible:

1)  Authenticate an SSH client to an SSH server using Kerberos.
2)  Authenticate said client on said server to an LDAP server via Kerberos.

I can't point to How-Tos, but I believe the following should be possible:

3)  Authenticate said client on said server to sudo on said server.

Note:  I think that sudo should use machine specific credentials to bind 
to LDAP and query the sudoers entries.  More specifically, I think that 
sudo should NOT re-use the user's credentials to bind to LDAP.

> Thanks

You're welcome.  I hope that helps.



-- 
Grant. . . .
unix || die

More information about the sudo-users mailing list