[Freeipa-devel] Consistent password hashing and lookups
Simo Sorce
ssorce at redhat.com
Tue May 13 19:51:22 UTC 2014
b----- Original Message -----
> On Mon, May 12, 2014 at 6:22 PM, Dmitri Pal <dpal at redhat.com> wrote:
> > On 05/12/2014 06:07 PM, James wrote:
> >>
> >> On Mon, 2014-05-12 at 17:56 -0400, Dmitri Pal wrote:
> >>>
> >>> Is there any other attribute to look at?
> >>> For example the timestamp when it was last set and base the update on
> >>> that rather than on matching password values?
> >>>
> >> There are some other solutions, but they are less elegant or don't work
> >> consistently. (Eg: bad hacks)
> >>
> >>
> > I would argue that comparing hashes is the worst hack ever.
> > Can you create a file once you set a password to indicate that password is
> > set?
> Not possible...
>
> >
> > Bottom line - I do not like the approach you are trying to implement and I
> > do not want you to find a way to solve this problem by comparing hashes. It
> > is not a good security hygiene. I would rather suggest patches to puppet to
> > address the issue properly than aid you on this path.
>
> I think you are missing the point... It is a bit subtle. Puppet is
> weird :) Here's what I'll do. I'll finish my other password related
> work, and then I'll post back with my complete feature branch minus
> the missing commands that I'm hoping to learn from the ML.
>
> I think you'll realize what I'm doing makes a lot of sense. I think
> you'll also soon agree that I have the only puppet module out there
> that is managing passwords responsibly. The status quo is that people
> are storing cleartext passwords _in puppet! tsk tsk. In any case,
> since when did a project stop it's users from shooting themselves in
> the foot if they thought that was right?
It is completely unclear to me how you plan to change a password without having the clear text (or equivalent) password. If what you are planning to do is to just write the alreay hashed password in userPassword, it will not work.
To add to that, I do not understand why you would do password mangement via puppet, you do not nee dto change local files, FreeIPA is a networked server and you can change passwords over the network already, why would you want to distribute them via puppet ??
Simo.
--
Simo Sorce * Red Hat, Inc. * New York
More information about the Freeipa-devel
mailing list