Vi anser att v˚ar unders¨okning och implementering av centraliserad anv¨andarauten- tisering f¨or NSC i link¨oping har utfallit v¨al. Efter noga ¨overv¨agande har program- varor valts och testats, och att d¨oma av driften i dag ¨ar l¨osningen b˚ade stabil och
2
Detta g¨aller Sambaservern.
3
32 Diskussion
s¨aker. Den st¨orsta skillnaden ur just anv¨andarsynpunkt ¨ar att man idag har samma l¨osenord p˚a de olika kontorsdatorerna som anv¨ander sig av LDAP f¨or autentisering av anv¨andare.
Litteraturf¨orteckning
[1] Bhavin Bharat Bhansali. Man-in-the-middle attack -a brief, februari 2001. http://rr.sans.org/threats/middle.php.
[2] CERT r°. Advisory CA-1996-21 TCP SYN flooding and IP spoofing attacks. http://www.cert.org/advisories/CA-1996-21.html.
[3] CERT r°. Advisory CA-2001-18 multiple vulnerabilities in several implemen- tations of the lightweight directory access protocol (ldap), December 2001. http://www.cert.org/advisories/CA-2001-18.html.
[4] CERT r°. Vulnerability note VU#670568 Samba creates temporary files in- securely, April 2001. http://www.kb.cert.org/vuls/id/670568.
[5] CERT r°. Vulnerability note VU#869184 Oracle Internet Directory contains multiple vulnerabilities in LDAP handling code, Juli 2001. http://www.kb.cert.org/vuls/id/869184.
[6] CERT r°. Vulnerability note VU#935800 multiple versions of OpenLDAP are vulnerable to denial-of-service attacks, Juli 2001. http://www.kb.cert.org/vuls/id/935800.
[7] Netscape Communications Corporation. Intro-
duction to public-key cryptography, 09 1998.
http://developer.netscape.com/docs/manuals/security/pkin/index.htm. [8] Netscape Communications Corporation. Introduction to SSL, September 1998.
http://developer.netscape.com/docs/manuals/security/sslin/ contents.htm#1041986.
[9] Ignacio Coupeau. Samba-pdc ldap v.3 howto, Juli 2002.
[10] Sollentuna Edvina AB. Katalogtj¨ansten - n¨atekonomins telefonkatalog, 2000. http://www.intranetica.com/intranetica/ldap/.
[11] OpenLDAP Foundation. pkg/ldap/servers/slapd/aclparse.c,v 1.24.2.13, feb- ruari 2002. k¨allkoden till OpenLDAP.
[12] OpenLDAP Foundation. pkg/ldap/servers/slapd/slap.h,v 1.86.2.29, januari 2002. k¨allkoden till OpenLDAP.
[13] R. Housley, W. Ford, W. Polk, and D. Solo. RFC 2459 internet X.509 public key infrastructure certificate and CRL profile, Januari 1999.
[14] Timothy A. Howes, Mark C. Smith, and Gordon S. Good. Understanding and deploying LDAP directory services, chapter 1. Macmillan technical publishing, USA, 1999.
[15] RSA Security Inc. The cryptographic smart card, 2001. http://www.rsasecurity.com/products/securid/whitepapers/
smart/CSC WP 0301.pdf.
[16] RSA Security Inc. RSA SecurID authentication, 2001. http://www.rsasecurity.com/products/securid/whitepapers/
BVBROI WP 1201.pdf.
[17] ISO/IEC. X.500 : Overview of concepts, models, and services (iso/iec 9594- 1:1993). http://www.dante.net/np/ds/osi.html.
[18] Heinz Johner, Larry Brown, Franz-Stefan Hinner, Wolfgang Reis, and johan Westman. Understanding LDAP. IBM. SG24-4986-00.
[19] Norbert Klasen. Directory Services for Linux. PhD thesis, Rheinisch - Westf¨alishe technische hochschule aachen, Tyskland, Augusti 2001. matr.Nr.: 202620.
[20] J. Kohl and C. Neuman. RFC 1510 the kerberos network authentication service (v5), September 1993.
[21] Mark Komarinski and Cary Collett. Don’t make me ldap you. lightweight directory access protocol: What it is, why you want it, mars 1999. http://www.linuxworld.com/linuxworld/lw-1999-03/lw-03-uptime.html. [22] Oliver Lemaire. The samba-2.2.4/ldap pdc howto, Juni 2002.
[23] Brad Marshall. System authentication using ldap. Plugged In Soft- ware. http://staff.pisoftware.com/bmarshal/publications/system auth/sage- au/system auth.html.
[24] Microsoft. Windows 2000 kerberos authentication whitepaper, Juli 1999. http://www.microsoft.com/windows2000/techinfo/howitworks/security/ kerberos.asp.
[25] Microsoft. Example of remote logon with Windows NT Server (q122422), Augusti 2001. http://support.microsoft.com/default.aspx?scid=kb;EN- US;q122422.
[26] Microsoft. Logon authentication. In Windows platform SDK: Security, Micro- soft Developers Network. Microsoft Corporation, November 2001.
[27] D. Narayanan. Windows NT/2000 login security. Technical report, eBiz info- systems, Mars 2001. http://www.ebizis.com/techcenter/gina.html.
[28] B. Clifford Neuman and Theodore Ts’o. Kerberos: An authentication service for computer networks. Technical report, Institute of Electrical and Electronics Engineers, September 1994. http://www.isi.edu/gost/publications/kerberos- neuman-tso.html.
[29] Novell. Which directory offers the best ldap server. http://developer.novell.com/whitepapers/ldap/lineup.html#openldap. [30] Novell. Novell edirectory, 2002. http://www.novell.com/products/edirectory/
quicklook.html.
[31] Department of defence. Department of defense trus- ted computer system evaluation criteria, december 1985. http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html. [32] Pethuru Raj. Lightweight directory access protocol.
http://www.peterindia.com/LDAPOverview.html.
[33] SecurityFocus. SAMBA Long Password Buffer Overflow Vulnerability (bug- traq 1816), September 1997. http://online.securityfocus.com/bid/1816. [34] SecurityFocus. Windows 95/98 Network File Sharing Vulnerability (bugtraq
188), Januari 1999. http://online.securityfocus.com/bid/188.
[35] SecurityFocus. OpenLDAP Denial of Service Vulnerabilities (bugtraq 3049), Juli 2001. http://online.securityfocus.com/bid/3049/info/.
[36] SecurityFocus. Samba Insecure TMP file Symbolic Link Vulnerability (bugtraq 2617), April 2001. http://online.securityfocus.com/bid/2617/info/.
[37] SecurityFocus. Samba remote arbitrary file creation vulnerability (bugtraq 2928), Juni 2001. http://online.securityfocus.com/bid/2928/info/.
[38] SecurityFocus. OpenLDAP Anonymous User Object Attri- bute Deletion Vulnerability (bugtraq 3947), Januari 2002. http://online.securityfocus.com/bid/3947/info/.
[39] SecurityFocus. OpenLDAP Authenticated User Object At- tribute Deletion Vulnerability (bugtraq 3945), Januari 2002. http://online.securityfocus.com/bid/3945/info/.
[40] Roel van Meer and Giuseppe Lo Biondo. LDAP implementation HOWTO, Mars 2001. http://www.tldp.org/HOWTO/LDAP-Implementation- HOWTO/index.html.
[41] David A. Wheeler. Secure programming for linux and unix howto, Mars 2002. http://www.tldp.org/HOWTO/Secure-Programs-HOWTO/.
[42] T. Ylonen. The ssh (secure shell) remote login protocol, November 1995. http://www.free.lp.se/fish/rfc.txt.
Bilaga A
Verifiering av den
krypterade f¨orbindelsen
F¨or att verifiera att all kommunikation mot OpenLDAP-servern var krypterad anv¨ande vi oss av verktyget snort1
till Linux. Snort f˚angar upp alla n¨atverkspaket som passerar datorns n¨atverkskort och l˚ater anv¨andaren analysera dessa. All n¨atverkskommunikation som sker fram till n¨armaste switch g˚ar att utan problem avlyssna p˚a detta s¨att.
A.1
Utan kryptering
F¨orst sattes ett system upp med OpenLDAP som inte anv¨ande n˚agon form av kryptering. Eftersom vi inte hade tillg˚ang till n˚agot n¨at med hubbar var vi tvungna att avlyssna trafiken fr˚an n˚agon av de inblandade datorerna. P˚a servern startades snort genom snort -d -v host x d¨ar x ¨ar klientens adress.
Klienten konfigurerades att anv¨anda LDAP-servern vid autentisering. N¨ar anv¨andaren testuser sedan f¨ors¨oker logga in p˚a klienten med l¨osenordet losenord skickas f¨oljande f¨orfr˚agan ¨over n¨atverket till LDAP-servern.
06/06-10:55:42.204439 130.236.xxxxxx:44431 -> 130.236.yyyyyy:389 TCP TTL:64 TOS:0x0 ID:26006 IpLen:20 DgmLen:106 DF
***AP*** Seq: 0x672AB03 Ack: 0x28DD081 Win: 0x1920 TcpLen: 32 TCP Options (3) => NOP NOP TS: 179557017 68893980
30 34 02 01 05 60 2F 02 01 03 04 20 75 69 64 3D 04...‘/.... uid= 74 65 73 74 75 73 65 72 2C 6F 75 3D 55 73 65 72 testuser,ou=User 73 2C 6F 3D 6E 73 63 2C 63 3D 73 65 80 08 6C 6F s,o=nsc,c=se..lo
73 65 6E 6F 72 64 senord
Som synes skickas informationen i klartext. L¨osenordsf¨altet g˚ar att kryptera med hj¨alp av MD5 eller liknande algoritmer. Lite senare skickar LDAP-servern vid
1
Mer information om Snort och liknande verktyg finns p˚a www.snort.org. 37
38 Verifiering av den krypterade f¨orbindelsen
A
Switch
Hub Hub
Figur A.1.Dator A kan teoretiskt sett avlyssna alla datorer som ¨ar anslutna till n¨atverket fram till n¨armaste switch. Om denna switch ¨ar felaktigt konfigurerad kan ¨aven trafik bortom denna avlyssnas.
ett eller flera tillf¨allen tillbaka information om anv¨andaren till klienten. ¨Aven detta okrypterat.
06/06-10:55:42.208605 130.236.yyyyyyy:389 -> 130.236.xxxxxx:44430 TCP TTL:64 TOS:0x0 ID:45006 IpLen:20 DgmLen:398 DF
***AP*** Seq: 0x2D19EC7 Ack: 0x55496F7 Win: 0x2180 TcpLen: 32 TCP Options (3) => NOP NOP TS: 68894651 179557018
30 82 01 56 02 01 0B 64 82 01 4F 04 20 75 69 64 0..V...d..O. uid 3D 74 65 73 74 75 73 65 72 2C 6F 75 3D 55 73 65 =testuser,ou=Use 72 73 2C 6F 3D 6E 73 63 2C 63 3D 73 65 30 82 01 rs,o=nsc,c=se0..
A.2 Krypterat med TLS 39