SYSKEY2. Request For Comments

[Phil Mayers]

Hmm. Interesting point which I hadn't considered. For LDAP I would say
that the entry really ought to be ACL'd anyhow (they are here at my
site) which is similar to having a seperate password-protected database
file. Hmm. NIS and SQL I don't know about though.

Cheers,
Phil

Luke Kenneth Casson Leighton wrote:
> 
> On Mon, 7 Feb 2000 jeremy at valinux.com wrote:
> 
> > >
> > > phil, this isn't about root being trusted or untrusted.  it's about making
> > > sure that only root can decode a password stored in a location in a
> > > publicly accessible file.
> > >
> > >
> > > On Sat, 5 Feb 2000, Phil Mayers wrote:
> > >
> > > > I'm afraid I agree. If you don't trust root, then you're screwed. If
> > > > someones get a root shell on the machine, you're deader than courdroy.
> > > > They can essentially do anything, hence it adds no real security, just
> > > > puts another step in the way.
> >
> > But passwords should *never* be stored in a publicly accessible
> > file - not even obfuscated !
> 
> for, say, ldap, which is publicly accessible, we don't have any choice.
> 
> > Luke - just because NT does it doesn't mean it is a good
> > idea. Don't code this up. If you do it'll be a waste of
> > your efforts as it will not go into a stable release.
> 
> jeremy, that's silly.
> 
> if this was only a matter of local-filesystem-based password storage, i
> wouldn't bother, or i would be pushing the off-line storage of syskey
> more.
> 
> but it's not.  think.  ldap.  sql.  nis+.  we can't trust them, and
> they're all publicly accessible network protocols.
> 
> 
> > If the key is stored off machine in some way then that's a
> > different matter, as that actually does add some security.
> 
> that is one option.
> 
> > It would, however, mean that human intervention is needed
> > to restart Samba on a machine. Every time (no unattended boots).
> 
> yes. for those people prepared to pay that price, fine.