Sunday, March 24, 2013

gnome-keyring, LDAP, PAM -- lost weekend blues

Links: LDAP workaround for Slack   CUPS LDAP issues

Today's distro's often install security as if one's stand-alone machine were a network box - localhost looping back onto itself with PAM and LDAP. In an environment like this, if one attempts to directly attach a peripheral, one becomes delayed or entirely thwarted. Anything from an improperly operating keyring to some limitation of root (eg, root apparently cannot navigate an IP localhost inherently), or so forth can extend attaching a printer into weeks. These are not problems for hackers; these are limits upon the computer's owner(s). Why?

I have no f*cking idea. Public agencies already can directly access our systems and private hackers either know how to use these LEA backdoors or have their own software methods. So for our home systems there is perhaps a 1% security gain for having an encrypted-vaulted system that loops back onto itself with layered authentication and cryptography. Meanwhile there is about a 70% productivity loss and about a 140% frustration increase to go along with it. Nearly all savvy computer users below the level of industry professionals or CS majors (they presumably can write patches to solve authentication situations), would pay GOOD money to defang all of their "security" beyond an initial login. As I noted in the previous post, users of Ubuntu (Ubuntu appears to use every layer of loopback LDAP, PAM, SOAP, encryption spaghetti available), are forced to, basically, hack their own systems to accomplish something as simple as directly connecting a printer.

Of course there are "solutions" for us; spend hours on forums and maybe make a post --- one could wait anywhere from one to several days or weeks for a possible workaround. Or one can spend the weeks necessary to resurrect their IPtables knowledge, uninstall LDAP, and parse out how to connect to web services without having LDAP and so on in place (eg try NSS without LDAP!).

This rant isn't against Ubuntu, it's a vent regarding loopback security for stand-alone machines. Leave layered loopback security, which places a security server and client on a single machine, out of vanilla distros. The so-called hackers out there already read our credit card numbers and have a hundred other entry points into our systems through dynamic libraries and so forth than this ridiculous set of authentications can ever prevent. Meanwhile, we end-users struggle to connect peripherals. Iptables and (arguably) a well configured PAM are our stand-alone friends. Loopback localhost security "services" are not.

No comments: