On Tue, Feb 01, 2011 at 10:23:21AM -0600, Dan White wrote:
You should bear in mind that ultimately you're going to have some sort of "password" stored in a file somewhere on the client machine - whether it be a Kerberos keytab, or the private key for a TLS certificate, or something else. Anyone who has root on the client box will be able to use those credentials.
Yes, but you can protect the keytab file from the service making the LDAP client connection, so that a particular service getting compromised does not obtain access to the keytab file.
If a service were to be compromised then the attacker would have access to the server for the remainder of the life of the kerberos tgt only.
That's true. They may only get 10 hours to complete their attack - if they take the credentials away. If they stay on the machine then they'll get the refreshed ones.
And for services running on the same system, EXTERNAL over ldapi is ideal.
In that case you're using the Unix uid/gid to authenticate the user - so anyone who breaks into the service will automatically get the same rights as that service, for as long as they're still on the system.
But I agree that having a single BindDN/Password and sharing it between all machines is a bad idea, because they can be re-used from elsewhere on the network, and it's hard to recover from a compromise.
With Kerberos, you've already got a distinct host key per machine, so you might as well leverage it.
Regards,
Brian.