Re: 389-ds and password hashing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2017-04-19 at 13:57 -0400, Mark Reynolds wrote:
> 
> On 04/19/2017 01:33 PM, James Chamberlain wrote:
> > Hi all,
> >
> > Does anyone know, can the CRYPT plugin for 389-ds be passed a
> > “crypt-algorithm” parameter?  I came across some documentation* from
> > the related Oracle Unified Directory / OpenDS which looks like it
> > would do exactly what I’m looking for, but I wasn’t sure whether that
> > was also true of 389-ds.
> We do not offer this functionality for CRYPT at this time, but please
> open a ticket so we can look into adding it:
> 
> https://pagure.io/389-ds-base/new_issue
> 
> Please provide the links to the Oracle docs, etc.
> 

I had a bit of a read, and I'm not sure about this.

Like, I can see *why* you want to do this, because it makes migration
from these possible.

However, the crypt module is bad, and all those schemes are "weak" for
password storage now.

So, lets say there is a compromise here on this feature.

What if we made it so DS could *bind* a user with the hash set to this
scheme, but you could never make a new password with this scheme. IE you
would leave:

nsslapd-storagescheme: {SSHA512,PBKDF2_SHA256}

But your user has:

uid=migrated_account,ou=People,dc=....
...
userPassword: {CRYPT}$6$<salt>$hash

So you could bind to this account, but then on next password change the
userPassword would become:

userPassword: {PBKDF2_SHA256}........ 

What do you think of this solution? 

-- 
Sincerely,

William Brown
Software Engineer
Red Hat, Australia/Brisbane

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux