[Freeipa-devel] Consistent password hashing and lookups

Mon May 12 07:11:03 UTC 2014

On 05/12/2014 03:47 AM, James wrote:
> On Sun, May 11, 2014 at 9:02 PM, Dmitri Pal <dpal at redhat.com> wrote:
>> On 05/11/2014 06:31 PM, James wrote:
>>>
>>> On Sun, May 11, 2014 at 3:04 PM, Dmitri Pal <dpal at redhat.com> wrote:
>>>>
>>>> This is scary.
>>>> This means that you expecting to have a hash being stored somewhere else
>>>> outside the DS.
>>>
>>> Haha, I agree! Actually, worse! I will have the plain text password
>>> stored somewhere outside the DS! Let me give you more background:
>>>
>>> I think this is an atrociously bad idea. However *everybody* stores
>>> password credentials poorly in puppet. So in order to do it properly,
>>> I've gone to great lengths to support something smarter for
>>> puppet-ipa. Most of the code is already done.
>>>
>>
>> Which module do you want me to look at?
>> I am not going to review your whole project :-)
> I just posted it for fun. I wasn't looking for a review, though!
> The technique is rather complicated, so I'm going to save it for a
> longer blog post write up when it's finished.
> 
>>
>>
>>> https://github.com/purpleidea/puppet-ipa/tree/feat/better-pw
>>>
>>> You'll be very pleased to know it doesn't do anything bad! BUT: I am
>>> still going to support the "bad method" of storing the actual password
>>> in puppet. Sad, but still used. So I do need to know how to do this
>>> bad thing, but if you look at my code, you'll see I'm doing something
>>> clever. Once it's all done and tested, I'll blog about it and announce
>>> the technique publicly.
>>>
>>>> Can you describe the workflow?
>>>> You want to be able to reset the admin password, right?
>>>> How do you bind? Using same admin password? Or keytab?
>>>
>>> I don't bind. I'm running as root on the free-ipa server.
>>
>> But to do an LDAP operation you still need to connect to LDAP. You can use
>> LDAPI in this case but then you do not need to authentocate at all, I think
>> in this case you should be able to overwrite the password without knowing
>> the old one.
>>
>> I do not think we should promote bad and insecure practices around the
>> security product. That defeats the purpose. I strongle suggest avoiding
>> saving any password and resetting the existing password using local root. I
>> think it is possible. If not we need to think about the proper way of
>> solving your use case.
> Agreed. Which is why I posted the feature branch early, to hopefully
> convince the ipa community that I'm going about the password stuff the
> "right way".
> 
> Anyways, back to the question:
> What commands can I use to look up the hash, and compute the hash? (Or
> simply test if a string password matches the stored password.)
> 
> Same questions for the DM password.
> 
> Thanks!

I sense some very black magic happening in this thread...

I do not see any reason for storing the password or hash of the password
outside of FreeIPA. As you said, you have a local root access to IPA machine,
you can then bind as Directory Manager and see or change any password.

1) Get fbar1;s b64 encoded password hash:

# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket -b
'uid=fbar1,cn=users,cn=accounts,dc=example,dc=com' userPassword

2) Forcefully change fbar1's password:

# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket
'uid=fbar1,cn=users,cn=accounts,dc=example,dc=com' -s newpassword

Note that the user fbar1 will not be prompted for the new password as the
password was changed by DM. As Dmitri wrote, a safer and a better approach
would be to have the script run as a special/system user with appropriate
privilege, authenticated with a keytab. Such user could then just call "ipa
passwd" FreeIPA command.

If you are interested in resetting DM password, you can check:

https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Installation_Guide/Installation_Guide-Common_Usage-Resetting_Passwords.html

and

http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password

Martin