[Freeipa-devel] Consistent password hashing and lookups

Dmitri Pal dpal at redhat.com
Mon May 12 01:02:14 UTC 2014 

On 05/11/2014 06:31 PM, James wrote:
> On Sun, May 11, 2014 at 3:04 PM, Dmitri Pal <dpal at redhat.com> wrote:
>> This is scary.
>> This means that you expecting to have a hash being stored somewhere else
>> outside the DS.
> Haha, I agree! Actually, worse! I will have the plain text password
> stored somewhere outside the DS! Let me give you more background:
>
> I think this is an atrociously bad idea. However *everybody* stores
> password credentials poorly in puppet. So in order to do it properly,
> I've gone to great lengths to support something smarter for
> puppet-ipa. Most of the code is already done.
>

Which module do you want me to look at?
I am not going to review your whole project :-)

> https://github.com/purpleidea/puppet-ipa/tree/feat/better-pw
>
> You'll be very pleased to know it doesn't do anything bad! BUT: I am
> still going to support the "bad method" of storing the actual password
> in puppet. Sad, but still used. So I do need to know how to do this
> bad thing, but if you look at my code, you'll see I'm doing something
> clever. Once it's all done and tested, I'll blog about it and announce
> the technique publicly.
>
>> Can you describe the workflow?
>> You want to be able to reset the admin password, right?
>> How do you bind? Using same admin password? Or keytab?
> I don't bind. I'm running as root on the free-ipa server.
But to do an LDAP operation you still need to connect to LDAP. You can 
use LDAPI in this case but then you do not need to authentocate at all, 
I think in this case you should be able to overwrite the password 
without knowing the old one.

I do not think we should promote bad and insecure practices around the 
security product. That defeats the purpose. I strongle suggest avoiding 
saving any password and resetting the existing password using local 
root. I think it is possible. If not we need to think about the proper 
way of solving your use case.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-devel mailing list