[Freeipa-devel] Capturing passwords for migration at bind-time?

[Nalin Dahyabhai]

During the Q&A session after Simo's talk at the Red Hat Summit last
week, someone in the audience asked about migration from existing
directory server instances to IPA.  One of the sticking points is that
these newly-migrated directory entries for users usually contain a
previously-hashed version of the user's password (usually a Unix-style
crypt(3) password), and this value is not usable as the user's long-term
key for Kerberos.

The person in the audience mentioned the pam_krb5_migrate module which
can be deployed to a client system.  IIRC, the module waits for users to
attempt to log in with a password, and if the login attempt succeeds, it
uses credentials which are present on a client machine to connect to a
realm's kadmind service, create an entry in the realm database
corresponding to the user, and to set the key for that entry using the
user's password.

The idea of storing credentials sufficient to do that sort of thing on
any client system kind of scares me, so I'm not suggesting that we
should use that approach.

Currently we hook into the password change extended operation and
provide a kpasswd service to ensure that Kerberos keys (and other hashes
which are based on the user's password) are generated whenever a user
changes her password.

Would it be useful to also intercept the password used when a simple or
SASL/PLAIN bind requests succeed, and take the opportunity to generate
the hashes so that we can avoid forcing password changes?

Nalin