Lab 29.3: monitor decrypted LDAP stream with WireShark
Hi,
I followed all the steps in Lab 29.3 until step 10, where the line
ldap_tls_reqcert = never
in the file /etc/sssd/sssd.conf should cause the stream to be decrypted.
Firstly, this file doesn't exist on my Ubuntu system, I guess this is a typo. So I edited the file:/etc/sssd/conf.d/00-sssd.conf
Which was previously edited in step 2 of the Lab. I guess, this is the right one, isn't it?
Further after restarting the serviece with systemctl restart sssd
, the ldap stream is still encrypted and I see lots of TLS packages.
So I don't know if I did not understand the point of this exercise or there is something wrong with my configuration. Am I right that the ldap data stream should NOT be encryptd and I should see somewhere the login process with username and password in clear text?
Thanks,
Urs
Answers
-
Hi Urs,
in the file /etc/sssd/sssd.conf should cause the stream to be decrypted.
That configuration file is for Red Hat based systems.
Firstly, this file doesn't exist on my Ubuntu system, I guess this is a typo. So I edited the file:
/etc/sssd/conf.d/00-sssd.confYes, that's the one for Debian and Ubuntu systems.
Further after restarting the serviece with systemctl restart sssd, the ldap stream is still encrypted and I >see lots of TLS packages.
>
So I don't know if I did not understand the point of this exercise or there is something wrong with my >configuration. Am I right that the ldap data stream should NOT be encryptd and I should see >somewhere the login process with username and password in clear text?
Yes, the idea is that you could see data about the user.
Are you sure that the service sssd was restarted? Perhaps you can stop the service, check on the status of it and start ir again. If there is any issue, you could find something in the system log file /var/log/syslog .
Regards,
Luis.0 -
Hi Luis,
Thanks.
After configuration I rebooted the system. This what it looks like:
root@ubuntu-dt-vm:~# cat /etc/sssd/conf.d/00-sssd.conf [sssd] config_file_version = 2 domains = example.com services = nss, pam,autofs [domain/example.com] enumerate = true id_provider = ldap autofs_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://192.168.122.11/ ldap_search_base = dc=example,dc=com ldap_id_use_start_tls = true cache_credentials = True ldap_tls_reqcert = never root@ubuntu-dt-vm:~# root@ubuntu-dt-vm:~# root@ubuntu-dt-vm:~# getent passwd luser1 luser1:*:999001:999001:luser1:/home/users/luser1: root@ubuntu-dt-vm:~# root@ubuntu-dt-vm:~# root@ubuntu-dt-vm:~# ssh luser1@localhost luser1@localhost's password: Welcome to Ubuntu 24.04.1 LTS (GNU/Linux 6.8.0-48-generic x86_64) [...]
And that is what it looks like in termshark during the ssh login. There are only 2 LDAP packages visible. The LDAP_START_TLS_OID suggest that TLS is used for authentication:
After/below the two LDAP packages, everything is TCP or TLSv1.3. I guess this is the actual SSH communication stream, which of course is encrypted:
So it looks as if anything is encrypted even though "ldap_tls_reqcert = never" is in the file /etc/sssd/conf.d/00-sssd.conf, even after a reboot.
What could be the reason?
Thanks,
Urs0 -
Hi Urs,
It took me some time but I was able to reproduce the environment and the "issue". So it's true that some data will be encrypted even if we are instructing the system not to. Anyway I was able to see some sensible data, as the DN for the user, the home directory, the uid and gid.
So, I found these data with a simpler filter: tcp port 389 , then look for "searchResEntry" and the DN "cn=luser1,dc=example,dc=com".
We are going to review this item of the lab and will update it.
Regards,
Luis.0 -
Hi Luis,
Thanks.
Displaying the ldapsearch command with WireShark is the last step of Lab 29.2 and happens before setting "ldap_tls_reqcert = never" in the /etc/sssd/conf.d/00-sssd.conf . So, the ldapsearch communication is already in plaintext even before changing 00-sssd.conf file.
Although, my post here is about Lab 29.3.
As I understand it, the decrypted authentication should be captured by Wireshark during the ssh login to localhost (ssh luser1@localhost), whereas the authentication will be sent to the LDAP server over the network. While the above ldapsearch is transmitted in plaintext, the initiation of the LDAP authentication starts with the LDAP_START_TLS_OID and shifts to TLS, while the communication will still be streamed over port 389 - which is intended to be unencrypted. Hence, the authentication credentials cannot be captured by Wireshark that way:Please tell me if I'm wrong.
Thanks,
Urs0 -
Hi Urs,
I think you are right. I had the same results as you and I saw the same behavior. In other services like ftp is easier to setup and see the credentials, but for some reason openldap is keeping the credentials in a secure way, which is very good in any case.
As I mentioned before, we are still checking on this lab.
Regards,
Luis.0 -
Hi Luis,
Ok, thanks for the update. Then I read the WireSharks output right.
Regards,
Urs1
Categories
- All Categories
- 167 LFX Mentorship
- 219 LFX Mentorship: Linux Kernel
- 801 Linux Foundation IT Professional Programs
- 358 Cloud Engineer IT Professional Program
- 180 Advanced Cloud Engineer IT Professional Program
- 83 DevOps Engineer IT Professional Program
- 149 Cloud Native Developer IT Professional Program
- 112 Express Training Courses
- 138 Express Courses - Discussion Forum
- 6.2K Training Courses
- 48 LFC110 Class Forum - Discontinued
- 17 LFC131 Class Forum
- 42 LFD102 Class Forum
- 227 LFD103 Class Forum
- 19 LFD110 Class Forum
- 39 LFD121 Class Forum
- 15 LFD133 Class Forum
- 7 LFD134 Class Forum
- 17 LFD137 Class Forum
- 63 LFD201 Class Forum
- 3 LFD210 Class Forum
- 5 LFD210-CN Class Forum
- 2 LFD213 Class Forum - Discontinued
- 128 LFD232 Class Forum - Discontinued
- 1 LFD233 Class Forum
- 2 LFD237 Class Forum
- 23 LFD254 Class Forum
- 697 LFD259 Class Forum
- 109 LFD272 Class Forum
- 3 LFD272-JP クラス フォーラム
- 10 LFD273 Class Forum
- 154 LFS101 Class Forum
- 1 LFS111 Class Forum
- 1 LFS112 Class Forum
- 1 LFS116 Class Forum
- 1 LFS118 Class Forum
- LFS120 Class Forum
- 7 LFS142 Class Forum
- 7 LFS144 Class Forum
- 3 LFS145 Class Forum
- 1 LFS146 Class Forum
- 3 LFS147 Class Forum
- 1 LFS148 Class Forum
- 15 LFS151 Class Forum
- 1 LFS157 Class Forum
- 34 LFS158 Class Forum
- 8 LFS162 Class Forum
- 1 LFS166 Class Forum
- 1 LFS167 Class Forum
- 3 LFS170 Class Forum
- 2 LFS171 Class Forum
- 1 LFS178 Class Forum
- 1 LFS180 Class Forum
- 1 LFS182 Class Forum
- 1 LFS183 Class Forum
- 29 LFS200 Class Forum
- 736 LFS201 Class Forum - Discontinued
- 2 LFS201-JP クラス フォーラム
- 14 LFS203 Class Forum
- 135 LFS207 Class Forum
- 1 LFS207-DE-Klassenforum
- 1 LFS207-JP クラス フォーラム
- 301 LFS211 Class Forum
- 55 LFS216 Class Forum
- 48 LFS241 Class Forum
- 48 LFS242 Class Forum
- 37 LFS243 Class Forum
- 15 LFS244 Class Forum
- LFS245 Class Forum
- LFS246 Class Forum
- 50 LFS250 Class Forum
- 1 LFS250-JP クラス フォーラム
- LFS251 Class Forum
- 155 LFS253 Class Forum
- LFS254 Class Forum
- LFS255 Class Forum
- 5 LFS256 Class Forum
- 1 LFS257 Class Forum
- 1.3K LFS258 Class Forum
- 10 LFS258-JP クラス フォーラム
- 122 LFS260 Class Forum
- 159 LFS261 Class Forum
- 42 LFS262 Class Forum
- 82 LFS263 Class Forum - Discontinued
- 15 LFS264 Class Forum - Discontinued
- 11 LFS266 Class Forum - Discontinued
- 20 LFS267 Class Forum
- 25 LFS268 Class Forum
- 31 LFS269 Class Forum
- 3 LFS270 Class Forum
- 199 LFS272 Class Forum
- 1 LFS272-JP クラス フォーラム
- LFS274 Class Forum
- 3 LFS281 Class Forum
- 10 LFW111 Class Forum
- 261 LFW211 Class Forum
- 182 LFW212 Class Forum
- 15 SKF100 Class Forum
- 1 SKF200 Class Forum
- 1 SKF201 Class Forum
- 782 Hardware
- 198 Drivers
- 68 I/O Devices
- 37 Monitors
- 96 Multimedia
- 174 Networking
- 91 Printers & Scanners
- 83 Storage
- 758 Linux Distributions
- 80 Debian
- 67 Fedora
- 15 Linux Mint
- 13 Mageia
- 23 openSUSE
- 143 Red Hat Enterprise
- 31 Slackware
- 13 SUSE Enterprise
- 348 Ubuntu
- 461 Linux System Administration
- 39 Cloud Computing
- 70 Command Line/Scripting
- Github systems admin projects
- 90 Linux Security
- 77 Network Management
- 101 System Management
- 46 Web Management
- 64 Mobile Computing
- 17 Android
- 34 Development
- 1.2K New to Linux
- 1K Getting Started with Linux
- 371 Off Topic
- 114 Introductions
- 174 Small Talk
- 19 Study Material
- 806 Programming and Development
- 304 Kernel Development
- 204 Software Development
- 1.8K Software
- 263 Applications
- 180 Command Line
- 3 Compiling/Installing
- 405 Games
- 309 Installation
- 97 All In Program
- 97 All In Forum
Upcoming Training
-
August 20, 2018
Kubernetes Administration (LFS458)
-
August 20, 2018
Linux System Administration (LFS301)
-
August 27, 2018
Open Source Virtualization (LFS462)
-
August 27, 2018
Linux Kernel Debugging and Security (LFD440)