[Freeipa-devel] Capturing passwords for migration at bind-time?
Dmitri Pal
dpal at redhat.com
Thu Jun 26 15:15:26 UTC 2008
> Currently we hook into the password change extended operation and
> provide a kpasswd service to ensure that Kerberos keys (and other hashes
> which are based on the user's password) are generated whenever a user
> changes her password.
>
> Would it be useful to also intercept the password used when a simple or
> SASL/PLAIN bind requests succeed, and take the opportunity to generate
> the hashes so that we can avoid forcing password changes?
>
>
Simple bind will reveal the password in clear. I do not think we want to
do this for the same reasons we do not want to store them on the client
machine.
It will force us to use SSL. It is currently turned off for performance
reasons.
SASL will not give us the password in clear on the server side so we
won't be able to generate the hashes.
Am I missing something?
Dmitri
More information about the Freeipa-devel
mailing list