On (30/09/15 09:38), Jakub Hrozek wrote:
>Hi,
>
>to help the OpenSCAP integration, I prepared a wiki page that contains
>options which have a security impact -- either positive (drop root) or
>negative (ignore certificate validation issues).
>
>I also tried to explain the effect of the options along with the
>description. There are some more items that can be included, but I
>wasn't sure about them myself, like:
>    * should obfuscated passwords be mentioned? I wasn't sure because on
>      one hand it really doesn't provide any benefit, on the other hand,
>      the option can be used to check a compliance box that requires no
>      passwords be stored in files..
>    * should the page warn against the
>      auth-option-that-shall-not-be-mentioned or politely deny its
>      existence? :-)
>    * What about fd_limit ? Should resource consumption be considered
>      a security property, especially if we already honor system default? I
>      think here the default is enough, so I didn't document that option.
>
>Please provide your comments or edit the wiki directly. Thanks!
I'm not sure about security implication but it might be good
to avoid using plantext passwords for authtok in sssd.conf.

ldap_default_authtok_type = password.

I'm not sure about obfuscated_password.
What do you think?

LS
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to