Hi,

I'm trying to reproduce this bug to see if it's still valid, but so far
I haven't had much success.  I tried crafting a /etc/sssd/sssd.conf
using Jens' diff, but after using sss_obfuscate on it I only see a small
excerpt being added to the end of the config file, and no lines being
removed.

I also looked at upstream's bug reports and tried finding something
related to this.  There are some sss_obfuscate bugs that have been fixed
over the years, but nothing that really resembles this one.

Jens, would it be possible for you to check if this bug is still
reproducible, and to provide reproduction steps please?  Meanwhile, I
will set this bug as Incomplete.

Moreover, I would like to post a comment made by one of the sssd
developers regarding sss_obfuscate:

====
First, an aside: please do not use the sss_obfuscate tool. It is virtually 
useless and provides zero security benefit. It was added to placate a customer 
who was paying a brain-dead auditor to review their use of the code. Obfuscated 
passwords are 100% reversible encryption. Anyone who has access to the 
sssd.conf can trivially reverse the password and get its plaintext password. 
They need only take a look at the well-commented source code of the 
sss_obfuscate tool. Given that the sssd.conf file is already forced to be 
readable only by root, the obfuscation is an unnecessary option that only gives 
an illusion of added security, we strongly recommend against using it at all.
====

With that in mind, and assuming that the bug is still valid, I consider
it to be low priority.

Thanks.

** Changed in: sssd (Ubuntu)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1430143

Title:
  sss_obfuscate breaks /etc/sssd/sssd.conf

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1430143/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to