[Freeipa-devel] Consistent password hashing and lookups
Dmitri Pal
dpal at redhat.com
Mon May 12 22:22:55 UTC 2014
On 05/12/2014 06:07 PM, James wrote:
> On Mon, 2014-05-12 at 17:56 -0400, Dmitri Pal wrote:
>> Is there any other attribute to look at?
>> For example the timestamp when it was last set and base the update on
>> that rather than on matching password values?
>>
> There are some other solutions, but they are less elegant or don't work
> consistently. (Eg: bad hacks)
>
>
I would argue that comparing hashes is the worst hack ever.
Can you create a file once you set a password to indicate that password
is set?
Bottom line - I do not like the approach you are trying to implement and
I do not want you to find a way to solve this problem by comparing
hashes. It is not a good security hygiene. I would rather suggest
patches to puppet to address the issue properly than aid you on this path.
Sorry ;-)
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Freeipa-devel
mailing list