Centos

如何在 389-Directory-Server 上禁用空密碼和弱密碼

  • October 9, 2014

我在 CentOS 上執行 389-DS。版本 - ‘389-ds-base.i686 1.2.11.15-34.el6_5’。安全掃描顯示在埠 389 和 636 上發現了 NullCiphers。

我試圖通過關閉 DS、編輯所有“/etc/dirsrv/slapd-/dse.ldif”文件上的“nsSSL3Ciphers”並啟動 DS 來禁用它們。nsSSL3Ciphers 現在看起來像這樣 -

modifyTimestamp: 20140915221826Z
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
a_export1024_with_des_cbc_sha
numSubordinates: 1

掃描仍然在這 2 個埠上顯示空密碼。

Here is the list of null SSL ciphers supported by the remote server :
 Null Ciphers (no encryption)
   TLSv1
     NULL-SHA                     Kx=RSA         Au=RSA      Enc=None                 Mac=SHA1   
The fields above are :
 {OpenSSL ciphername}
Port
389 / tcp / ldap    
636 / tcp / ldap    

關於如何禁用這些 Null 密碼的任何想法?

您可以按照其他答案中的建議手動修復密碼,或者在適用時簡單地升級到 FreeIPA 4.0.3,它可以立即修復密碼(上游票證)。

這是我使用FreeIPA 4.0.3或 4.1.0 Alpha1 得到的:

# nmap --script ssl-cert,ssl-enum-ciphers -p 636 `hostname`

Starting Nmap 6.40 ( http://nmap.org ) at 2014-10-09 01:52 EDT
Nmap scan report for ipa.mkosek-rhel71.test (10.16.78.57)
Host is up (0.000092s latency).
PORT    STATE SERVICE
636/tcp open  ldapssl
| ssl-cert: Subject: commonName=ipa.mkosek-rhel71.test/organizationName=MKOSEK-RHEL71.TEST
| Issuer: commonName=Certificate Authority/organizationName=MKOSEK-RHEL71.TEST
| Public Key type: rsa
| Public Key bits: 2048
| Not valid before: 2014-10-09T04:52:15+00:00
| Not valid after:  2016-10-09T04:52:15+00:00
| MD5:   0fc7 afd6 343b 9e51 abd0 3ba1 7bde 3c25
|_SHA-1: 246a 02f2 1663 3ca9 e97b cdd4 887e 6e10 7685 5627
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_RSA_WITH_SEED_CBC_SHA - strong
|     compressors: 
|       NULL
|_  least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 0.91 seconds

引用自:https://serverfault.com/questions/634339