There is a configuration parameter that can be set to protect the workstation from this attack. If the workstation isn’t authenticating the KDC, it will accept the reply from the rogue server and let john in. What he has to do now is to have his rogue KDC respond to the login request from the workstation, before (or instead of) the real KDC.
#UBUNTU XSCREENSAVER SSSD PASSWORD#
The attacker first deploys a rogue KDC server in the network, and creates the john principal there with a password of his choosing. Let’s say he knows john is a valid user on that machine. The objective of the attacker is to login on a workstation that is using Kerberos authentication. When using SSSD to manage kerberos logins on a Linux host, there is an attack scenario you should be aware of: KDC spoofing. Ticket cache: FILE:/tmp/krb5cc_10001_BOrxWrĠ4/17/20 20:29:50 04/18/20 06:29:50 until 04/18/20 logged in using the kerberos password, and user/group information from the LDAP server. Let’s try a login as this user: sudo login The user john should be known to the system: getent passwd john Note how the john user has no userPassword attribute. In this example, the LDAP server has the following user and group entry we are going to use for testing: dn: uid=john,ou=People,dc=example,dc=comĭn: cn=Engineering,ou=Group,dc=example,dc=com To enable automatic home directory creation, run the following command: sudo pam-auth-update -enable mkhomedir
Start the sssd service: sudo systemctl start rvice This example uses two KDCs, which made it necessary to also specify the krb5_kpasswd server because the second KDC is a replica and is not running the admin server. SSSD ConfigurationĬreate the /etc/sssd/nf configuration file, with permissions 0600 and ownership root:root, and this content: For this guide, we are using EXAMPLE.COM.Īt this point, you should alreaedy be able to obtain tickets from your Kerberos server, assuming DNS records point at it like explained elsewhere in this guide: $ kinit ubuntuĭefault principal: starting Expires Service principalĠ4/17/20 19:51:06 04/18/20 05:51:06 until 04/18/20 19:51:05īut we want to be able to login as an LDAP user, authenticated via Kerberos. You may be asked about the default Kerberos realm.
#UBUNTU XSCREENSAVER SSSD INSTALL#
On the client host, install the following packages: sudo apt install sssd-ldap sssd-krb5 ldap-utils krb5-user
This is arguably a much wiser solution as xscreensaver is really notable for its commitment to security, i.e. Since your primary issue is looks, You might want to look into theming xscreensaver's lock dialog. In the Command field add xautolock -locker "xtrlock -b".In the Name field add something like "xautolock xtrlock".Uncheck the check box next to Xscreensaver.Navigate to Menu » Preferences » LXQt Settings » Session Settings » Autostart.Make sure you autostart xautolock -locker "xtrlock -b" (remove the -b if you don't want the screen blanked) and keep xscreensaver from starting: Something light like xtrlock would do the trick (and it's super light). Technically that's not a locker, so you'd need something else. Luckily, there are others that take precedence over xscreensaver, including the one that trumps them all: xautolock. This tool generally chooses the screensaver based on the desktop environment but xscreensaver takes precedence so that eliminates some other options, including gnome-screensaver¹. LXQt uses xdg-screensaver lock to handle locking.
0 kommentar(er)
