[Freeipa-devel] Consistent password hashing and lookups

Mon May 12 01:47:30 UTC 2014

On Sun, May 11, 2014 at 9:02 PM, Dmitri Pal <dpal at redhat.com> wrote:
> On 05/11/2014 06:31 PM, James wrote:
>>
>> On Sun, May 11, 2014 at 3:04 PM, Dmitri Pal <dpal at redhat.com> wrote:
>>>
>>> This is scary.
>>> This means that you expecting to have a hash being stored somewhere else
>>> outside the DS.
>>
>> Haha, I agree! Actually, worse! I will have the plain text password
>> stored somewhere outside the DS! Let me give you more background:
>>
>> I think this is an atrociously bad idea. However *everybody* stores
>> password credentials poorly in puppet. So in order to do it properly,
>> I've gone to great lengths to support something smarter for
>> puppet-ipa. Most of the code is already done.
>>
>
> Which module do you want me to look at?
> I am not going to review your whole project :-)
I just posted it for fun. I wasn't looking for a review, though!
The technique is rather complicated, so I'm going to save it for a
longer blog post write up when it's finished.

>
>
>> https://github.com/purpleidea/puppet-ipa/tree/feat/better-pw
>>
>> You'll be very pleased to know it doesn't do anything bad! BUT: I am
>> still going to support the "bad method" of storing the actual password
>> in puppet. Sad, but still used. So I do need to know how to do this
>> bad thing, but if you look at my code, you'll see I'm doing something
>> clever. Once it's all done and tested, I'll blog about it and announce
>> the technique publicly.
>>
>>> Can you describe the workflow?
>>> You want to be able to reset the admin password, right?
>>> How do you bind? Using same admin password? Or keytab?
>>
>> I don't bind. I'm running as root on the free-ipa server.
>
> But to do an LDAP operation you still need to connect to LDAP. You can use
> LDAPI in this case but then you do not need to authentocate at all, I think
> in this case you should be able to overwrite the password without knowing
> the old one.
>
> I do not think we should promote bad and insecure practices around the
> security product. That defeats the purpose. I strongle suggest avoiding
> saving any password and resetting the existing password using local root. I
> think it is possible. If not we need to think about the proper way of
> solving your use case.
Agreed. Which is why I posted the feature branch early, to hopefully
convince the ipa community that I'm going about the password stuff the
"right way".

Anyways, back to the question:
What commands can I use to look up the hash, and compute the hash? (Or
simply test if a string password matches the stored password.)

Same questions for the DM password.

Thanks!

>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>