I have nss & pam configured so that I can authenticate linux users via LDAP against my companies AD server. All works fine except password are sent in plain text. For reasons out of my control our AD server does not support ssl/tls and I dont think I can convince them to turn it on. Is it possible to configure this so that passwords are hashed before they are sent. So in other words AD stores passwords hashed so why cant I just configure nss & pam ldap to send the password already hashed and then the hash be compared on the ldap server. I think I have configured other software packages to do this in the past...
Asked
Active
Viewed 1,173 times
3 Answers
4
No, because then all an attacker would need to do to impersonate a user would be to obtain the hash, with no need to crack it, rendering the hashing aspect of password storage pointless.
The approach that would satisfy this kind of need would be some sort of challenge/response authentication (CHAP, HMAC, NTLM..), which I don't believe is an option in a raw LDAP connection.
SSL is really easy to enable on a Domain Controller - it's automatic if it has an appropriate certificate - so, I'd suggest convincing the powers that be to go that route.
Shane Madden
- 112,982
- 12
- 174
- 248
-
Good point Shane! I think i will go with kerberos pam module. – startoftext Aug 12 '11 at 21:30
4
An alternative would be to use Kerberos5 instead of a LDAP simple bind simply via pam_krb5 for authentication only. libniss would then only use LDAP to resolve users. This way there's at least no plain text password transmission, but all the LDAP queries are of course transmitted in plain text - Note that the account needed for the simple bind to query the directory should be Domain Guest or some highly unprivileged account etc.
This is also trivial to do.
pfo
- 5,630
- 23
- 36
0
Sending pre-encoded passwords is a terrible idea. The directory server cannot enforce password quality without knowing the password - this lack of capability is in and of itself a deal-breaker in any but the most trivial environment. If your directory server server cannot support encrypted communication, then it should not be used for this type of critical application.
Terry Gardner
- 632
- 5
- 9
-
Thanks for the reply but that's already been pointed out. I used Kerberos instead. – startoftext Aug 16 '11 at 05:30