[Freeipa-devel] Consistent password hashing and lookups
James
purpleidea at gmail.com
Tue May 13 02:37:17 UTC 2014
On Mon, May 12, 2014 at 6:22 PM, Dmitri Pal <dpal at redhat.com> wrote:
> On 05/12/2014 06:07 PM, James wrote:
>>
>> On Mon, 2014-05-12 at 17:56 -0400, Dmitri Pal wrote:
>>>
>>> Is there any other attribute to look at?
>>> For example the timestamp when it was last set and base the update on
>>> that rather than on matching password values?
>>>
>> There are some other solutions, but they are less elegant or don't work
>> consistently. (Eg: bad hacks)
>>
>>
> I would argue that comparing hashes is the worst hack ever.
> Can you create a file once you set a password to indicate that password is
> set?
Not possible...
>
> Bottom line - I do not like the approach you are trying to implement and I
> do not want you to find a way to solve this problem by comparing hashes. It
> is not a good security hygiene. I would rather suggest patches to puppet to
> address the issue properly than aid you on this path.
I think you are missing the point... It is a bit subtle. Puppet is
weird :) Here's what I'll do. I'll finish my other password related
work, and then I'll post back with my complete feature branch minus
the missing commands that I'm hoping to learn from the ML.
I think you'll realize what I'm doing makes a lot of sense. I think
you'll also soon agree that I have the only puppet module out there
that is managing passwords responsibly. The status quo is that people
are storing cleartext passwords _in puppet! tsk tsk. In any case,
since when did a project stop it's users from shooting themselves in
the foot if they thought that was right?
Cheers,
James
>
> Sorry ;-)
More information about the Freeipa-devel
mailing list