[Nsspampgsql-devel] Bug#551389: Bug#551389: libnss-pgsql2: Public auth info in the nss-pgsql.conf allows Denial-of-Service attack to NSS
Denis Feklushkin
denis.feklushkin at gmail.com
Sat Oct 31 05:27:31 UTC 2009
On Fri, 30 Oct 2009 15:58:55 +0100
Bram Senders <bram at luon.net> wrote:
> Hi there,
>
> I'm considering using libnss-pgsql for using the same authentication
> information on several machines, and I'm interested in the following.
>
If you want to make a system of multiple machines does not recommend
the use of NSS and network access to NSS for *authentication* at all (it
does not matter libnss-pgsql2 or another module)
Otherwise, in this case the attacker by breaking one of the machines to
obtain root permission will be able to immediately take all logins and
passwords hashes from your NSS DB.
NSS can be used for authorization but not for authentication. Use PAM
instread it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/nsspampgsql-devel/attachments/20091031/1e529f46/attachment.pgp>
More information about the Nsspampgsql-devel
mailing list