On 08/17/2012 12:27 AM, Ray wrote:
> Steve & Rich:
>
> I prefer different passwords because of security concerns: If a user
> (with both IMAP and SSH access) hacks his/her mail password into a
> comprimised box (keylogger, for instance, internet café…), then the
> expected damage would be limited to the mail account only. If the
same
> password works for SSH also, then it's possible to screw up all files
> of that user; worse even, if there is some rights-elevation bug
around
> at the time - then the entire box might be at risk.
>
> Getting a second set of userpassword attributes then either would
> require me to run a second instance, or I would have to resort to the
> likes of sasldb for the mail side of things…
>
> Would there be a way to patch some schema file with an extra password
> attribute ("mailuserpassword")? I have absolutely no clue about
schema
> writing though… is there something you can recommend me to read
(book,
> website, …) on this topic?
You could use your own attribute. But how will the application know
how to use it? You cannot use it with an LDAP BIND request since that
only knows about the userPassword attribute. So your application would
have to deal with hashing, comparison, etc. in a secure way. If you
really want to go this route, take a look at the schema file
05rfc4524.ldif - the simpleSecurityObject objectclass. You would do
something similar e.g. create your custom password attribute (by
copying/altering the definition of the userPassword attribute), then
create your custom SecurityObject objectclass based on copying/altering
simpleSecurityObject. Then you would use ldapmodify to add your custom
objectclass to every entry that needs it.
Another simple solution here, if you're concerned enough about security to consider
setting up something this convoluted, would be to stop accepting passphrases as valid
authentication for SSH sessions.