Server Management - Remote Server Management
cancel
Showing results for 
Search instead for 
Did you mean: 

LDAPs no authentication?

donteverstop
Advisor

LDAPs no authentication?

Hello. I am looking at directory-integration for iLO and I really can't trust it:

 

- You specify an LDAPs directory server

- You never specify a certificate (or any certificate) that must work with this server

 

Would not this mean that if an attacker can steal the IP of the Directory server he can also steal the credentials for any user logging on? Or at least use this for a man in the middle/proxy attack (iLO uses the users credentials when authenticating to the directory)?

 

Is there at least a warning if iLO encounters a new certificate when connecting to the directory server?

6 REPLIES
donteverstop
Advisor

Re: LDAPs no authentication?

So by the topic this would mean - Does iLO authenticate the LDAPs-certificate before sending away user credentials?
donteverstop
Advisor

Re: LDAPs no authentication?

I managed to decrypt the LDAPS-authentication from ILO to my Domain Controller. It uses ldap simple bind, which basically transfers username/password in clear text. So if no verification of the certificate is done, this means that a MITM-attack will be able to steal the credentials of the user.

Oscar A. Perez
Honored Contributor

Re: LDAPs no authentication?

If you are that concern about a potential MITM-attack in your environment, you should consider using Kerberos. Both iLO3 and iLO4 support it.




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
donteverstop
Advisor

Re: LDAPs no authentication?

Its not that I am concerned that it will happen, but as an organization it is imperative to know that it can happen..

 

Anyways, the thing about it is that it would not be that hard to implement a verification technology - e.g. you upload the CA for the ldaps-server and everything would be fine (at least good enough - ldap simple bind should not be used though).

 

What annoys me the most is that HP actually has published a document trying to document how secure iLO is - but has left out any menton of the use of ldap simple bind and if the ldaps certificate is at any point verified. Kerberos is not mentioned at all.

 

Kerberos might work, but that also involved creating AD-objects for every iLO-interface, something that makes the implementation more complex. 

 

Oscar A. Perez
Honored Contributor

Re: LDAPs no authentication?

I'm going to bring your concern to the iLO team.




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
donteverstop
Advisor

Re: LDAPs no authentication?

Cheers!

 

I verified this attack today btw - it was how I suspected, which means directory authentication is not safe against a man-in-the-middle.

 

I believe Kerberos is safe - as long as you onlt use the "HP Zerologin"-button, if you enter credentials I believe it will use directory authentication as a fallback if it cannot authentication using Kerberos (again - a man in the middle attack). Kerberos is also not supported on iLO2/1 - I have not tried authentication with HP extended schema yet.

 

This would also be true for cpqlocfg.exe, which cannot verify the ssl-certificate of the iLO-interface... Of course you might possibly be able to download the certificate using xml and verify it by other means, but that would require two operations which means that an attack is possible. The problem with this is when/if you need to upload a new keytab(kerberos) or lom-password (ilo2), which could be hijacked. A workaround here is of course to distribute it through safe ways to the operating system and use local scripts to import them. (Or write your own script that works through XML or the web interface).