[unisog] LDAP access for 3rd parties

Peter Van Epp vanepp at sfu.ca
Wed Feb 13 18:58:58 GMT 2008


On Wed, Feb 13, 2008 at 01:15:45PM -0500, Oscar Knight wrote:
> Hello Brian,
> 
> Thanks for replying.
> 
> I'm talking about just the ability to do a bind, ie to authenticate.
> The username and raw password are required to do the bind.  My  issue
> is the fact that the 3rd party has the raw password.
> 
> Password consolidation is the current rage.  Our users have one password
> that gets them access to state and federally protected information as
> well as other information.  Does it make sense for our users to enter
> their password on an external server for which our institution has
> absolutely no control and no checks or audits?
> 
> All it would take is a line or two of code at the 3rd party site to
> store the username/password.   I'm not accusing 3rd parties of
> intentional malice, just pointing out the risk.
> 
<snip>

	Then (assuming the data is important enough to generate the required
level of interest i.e. someone willing to fund it) two factor authentication
is what you want. The remote site doesn't get passwords at all only an 
encrypted one time authentication (skey or opie will do this for free and 
without dongles at the cost of administrative process and user education). You 
are correct any remote authentication which requires the user to provide a 
reusable password is potentially compromisable but that should have been part 
of the risk assessment that happened when access to that application was 
signed off on by the appropriate authorities. I'd also note I'd be a lot more
concerned about the user's own machine (assuming you don't have locked down 
desktops) than a vendor application although a lot of them are pretty bad too.
The bottom line is reusable passwords are just plain evil, the problem is the
cost of the alternatives.
	Your only point of potential fault would be in not pointing this
possibility out to the people making the decision to grant access as part
of the risk assessment. At least here, the security tail can't wag the 
university dog, we can only point out the risks although doing so to your
risk manager or internal auditor as well as the person that wants the 
application is often useful.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada


More information about the unisog mailing list