Page 1 of 1
Authentication with AD NO SSL
Posted: Fri Oct 31, 2014 9:08 am
by mikew
I am working with a customer that is using AD to authenticate with Nagios. In order to get this working they are not using SSL, so it is plain text. Two questions as I am concerned about security:
1. At any point are passwords stored or transmitted in plain text on Nagios when using AD and no SSL?
Especially important would be log info?
2. Do these passwords ever get stored on Nagios in plain text?
I am assuming this is true as they are stored in the database?
Re: Authentication with AD NO SSL
Posted: Fri Oct 31, 2014 12:10 pm
by sreinhardt
1) I have not done a wireshark to confirm, but these should be sent just as standard windows authentication request would, using ntlm\ntlmv2 hashs which is of the same security as a default windows system connecting to a domain.
2) Nope, they should never be stored in plaintext, and the XI password does NOT need to match AD. We check something like:
valid for user nagios?
valid ad user and pass?
if yes to both, login as user
if not, check local db for credentials as though we were not using AD.
As another note, Jake and I, largely Jake, recently resolved the AD ssl issues, it should be out in a patch shortly, with detailed documentation!
Re: Authentication with AD NO SSL
Posted: Fri Oct 31, 2014 1:45 pm
by mikew
Thanks for the info exactly what I needed. Fixing the SSL issues will be greatly appreciated by many I am sure. You can close this.
Re: Authentication with AD NO SSL
Posted: Fri Oct 31, 2014 1:49 pm
by sreinhardt
Fixing the SSL issues will be greatly appreciated by many I am sure.
You are absolutely correct, myself included! We'll lock it up!