From 9bbec43dfa15eb6dd3d04eb444bb2c8dda3948e9 Mon Sep 17 00:00:00 2001 From: Roland Gruber Date: Thu, 2 Oct 2003 18:15:42 +0000 Subject: [PATCH] some security documentation --- lam/docs/README.security | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 lam/docs/README.security diff --git a/lam/docs/README.security b/lam/docs/README.security new file mode 100644 index 00000000..aace300c --- /dev/null +++ b/lam/docs/README.security @@ -0,0 +1,36 @@ + +1. Use of SSL + + The data which is transfered between you and the LAM server is very sensitive. + Please always use SSL encrypted connections between LAM and your browser to + protect yourself against network sniffers. + + +2. LDAP+SSL and TLS + + LAM should start TLS automatically if possible. LDAP+SSL will be used if you use + ldaps://servername in your configuration file. + + +3. Chrooted servers + + If your server is chrooted and you have no access to /dev/random or /dev/urandom + this can be a security risk. LAM stores your LDAP password encrypted in the session. + LAM uses rand() to generate the key if /dev/random and /dev/urandom are not accessible. + Therefore the key can be easily guessed. + An attaker needs read access to the session file (e.g. by another Apache instance) to + exploit this. + + +4. LDAP-password protection + + Your LDAP-password is stored encrypted in the session file. The key and IV to decrypt + it are stored in two cookies. We use AES to encrypt the passwort. + + +5. Protection of new user passwords + + These passwords are, if stored in the session file, encrypted with the same key and IV + as your LDAP-password. + +