On 15.1.2014 20:10, Rich Megginson wrote:
On 01/15/2014 11:51 AM, Richard Mixon wrote:
Nathan/Rich,
Thank you both for the responses.
We are using the 389 Directory Server for a pretty isolated situation -
authentication/authorization for external users on an "extranet" type portal
website (it integrates pieces of several different web applications).
We don't really envision (famous last words, I know) using it on a broader
basis.
Rich, I can understand why the pre-hashed passwords cause a lot of
integration points to break. Is there a good alternative that still makes
cracking your passwords prohibitively expensive?
Well, actually, yes - don't use passwords - use client certificate based
authentication . . .
SASL/GSSAPI is the most flexible option. Teach your applications SASL and you
can use any of
http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer#SASL_mechanisms
Naturally, some of them have the same problem with plaintext passwords but
others do not (like GSSAPI - e.g. Kerberos).
Petr^2 Spacek
Nathan, I have a background in C, but do mostly Java these days. I will take
a look at ticket 397 and get back to you if it's something I could work on.
Can you provide me the pointers you were referring to?
Thank you - Richard
On Wed, Jan 15, 2014 at 11:25 AM, Rich Megginson <rmeggins@xxxxxxxxxx
<mailto:rmeggins@xxxxxxxxxx>> wrote:
On 01/15/2014 10:38 AM, Richard Mixon wrote:
During the bind process is there anyway to tell 389 directory
server to hash a plaintext password n (multiple) times before
trying to compare to what is stored?
I am trying to implement something similar to what's described in
this article:
http://www.stormpath.com/blog/strong-password-hashing-apache-shiro
Our plan was to to use SSHA256 to hash the passwords around
200,000 times before storing. This would at least slow down any
cracking attempts should someone get access to our directory.
I've read through the documentation on the Red Hat Directory
Server site, including the "Plug-in Guide". Under "5.8 Checking
Passwords" it refers to calling function "slapi_pw_find_sv()" -
looking at the doc for this function it does not look like
hashing multiple times is supported.
Is there some means of doing this that is not obvious to me?
No.
I can certainly do it by re-writing the security plugins for the
various servers (Tomcat, PHP Wordpress, etc) such that they hash
the plaintext password n minus 1 times before issuing the bind -
but was hoping not to do that.
Use of pre-hashed passwords is strongly discouraged and will break
things like sasl and replication.
Does this have anything to do with
https://fedorahosted.org/389/ticket/397?
I'm relatively new to 389 directory server, but so far quite
happy to have moved to it from another directory server.
Thank you - Richard
-- Richard Mixon
--
Petr^2 Spacek
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
