|
On 08/01/2016 08:59 PM, William Brown
wrote:
I think this is something that would be nice to have. Open a ticket for it, and we'll triage it for the next appropriate release.Hi, I would like to propose an idea that will help improve the security of DS password storage for new installations and their future upgrades. I would like to change the default value of passwordStorageScheme to a type called DEFAULT. The implementation of DEFAULT would be an interface to the "current best practice storage mechanism of this release of directory server". This way sites that want to customise their hash types can. Sites that "install and forget" will gain a strong password storage mechanism out of the box. Additionally, we can *change* the DEFAULT mapping in releases as we have better and stronger hashes, or as we learn and get better advice on their security. This way, users who "install and forget" are continually moving forwards with their security as they upgrade versions. When user passwords are changed in their systems, they are updated to the newer hashes etc. I think this would be a trivial feature to implement and add, and I think that the net increase in security for administrators and accounts on their system is huge. Is this something we would like to pursue?
|
-- 389-devel mailing list 389-devel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/389-devel@xxxxxxxxxxxxxxxxxxxxxxx
