[unisog] LDAP access for 3rd parties
Peter Van Epp
vanepp at sfu.ca
Wed Feb 13 18:58:58 GMT 2008
On Wed, Feb 13, 2008 at 01:15:45PM -0500, Oscar Knight wrote:
> Hello Brian,
> Thanks for replying.
> I'm talking about just the ability to do a bind, ie to authenticate.
> The username and raw password are required to do the bind. My issue
> is the fact that the 3rd party has the raw password.
> Password consolidation is the current rage. Our users have one password
> that gets them access to state and federally protected information as
> well as other information. Does it make sense for our users to enter
> their password on an external server for which our institution has
> absolutely no control and no checks or audits?
> All it would take is a line or two of code at the 3rd party site to
> store the username/password. I'm not accusing 3rd parties of
> intentional malice, just pointing out the risk.
Then (assuming the data is important enough to generate the required
level of interest i.e. someone willing to fund it) two factor authentication
is what you want. The remote site doesn't get passwords at all only an
encrypted one time authentication (skey or opie will do this for free and
without dongles at the cost of administrative process and user education). You
are correct any remote authentication which requires the user to provide a
reusable password is potentially compromisable but that should have been part
of the risk assessment that happened when access to that application was
signed off on by the appropriate authorities. I'd also note I'd be a lot more
concerned about the user's own machine (assuming you don't have locked down
desktops) than a vendor application although a lot of them are pretty bad too.
The bottom line is reusable passwords are just plain evil, the problem is the
cost of the alternatives.
Your only point of potential fault would be in not pointing this
possibility out to the people making the decision to grant access as part
of the risk assessment. At least here, the security tail can't wag the
university dog, we can only point out the risks although doing so to your
risk manager or internal auditor as well as the person that wants the
application is often useful.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the unisog