[sudo-users] LDAP Password Security
LE BOUTER Leo
leo.lebouter-ext at aphp.fr
Tue Apr 7 08:25:34 MDT 2020
That's exactly it.
I was comparing sudo to how SSO would work on the web.
SSO on the web uses an Identity Server that only gives a service specific temporary token, not the user's password.
Here, users have to give their password to each server that has sudo installed.
Seeing your other message, I'll consider password-less sudo, though I don't think that's too good,
because it means a program running under any logged in user can also execute sudo with their permissions.
Only imperfect solutions here, it seems.
Thanks
Leo Le Bouter
Ingenieur Securite Infrastructure
Entrepot de Donnees de Sante (WIND)
________________________________________
From: sudo-users [sudo-users-bounces at sudo.ws] on behalf of Michael Ströder [michael at stroeder.com]
Sent: Tuesday, April 07, 2020 12:38 PM
To: sudo-users at sudo.ws
Subject: Re: [sudo-users] LDAP Password Security
On 4/7/20 4:27 AM, Grant Taylor via sudo-users wrote:
> On 4/6/20 5:10 PM, LE BOUTER Leo wrote:
>> I am looking to use LDAP with sudo but I am concerned about the idea
>> of every server having access to the user's LDAP password at
>> authentication time.
>
> I am having trouble unpacking what your concern is.
The valid concern is that if one of your servers got rooted without you
detecting this the next user password input triggered by sudo could be
intercepted. And then the long-term password could be abused somewhere
else on another system not yet rooted by the attacker.
Ciao, Michael.
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
https://clicktime.symantec.com/3DdU58vD59Y5suP3tveg4MX6H2?u=https%3A%2F%2Fwww.sudo.ws%2Fmailman%2Flistinfo%2Fsudo-users
More information about the sudo-users
mailing list