[Systems] sunjammer's LDAP admin password changed
Bernie Innocenti
bernie at codewiz.org
Sat Apr 9 21:01:47 EDT 2016
Perhaps I figured how the mysterious test user was created in our LDAP
database: the role account cn=admin,dc=sugarlabs,dc=org had a weak crypt
password hash WITHOUT SALT DAMMIT!!1! These are trivially crackable in
*seconds* with free online tools.
The weak password was stored both in the ldap database itself and in
/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif. slapd is
configured to expose passwords only to root, but perhaps it was
retrievable by user www-data through some other kind of escalation.
Anyway. I changed the admin password and this time it uses a strong hash
algorithm (sha512 with 16 chars of salt, which is the system default
nowadays). Contact me via gpg-encrypted email or Signal to receive the
new password.
Samuel and I spoke earlier today and we don't see a real need to keep
LDAP around for a handful of users on a single shell server. It's a
management burden, the learning curve for new sysadmins is steep, and it
may actually weaken our security if it's not configured properly.
Therefore we're thinking of migrating all users back to passwd/shadow
and get rid of openldap altogether... unless someone can make a case for it.
--
_ // Bernie Innocenti
\X/ http://codewiz.org
More information about the Systems
mailing list