[Freeipa-users] Understanding the migration mode
Simo Sorce
simo at redhat.com
Fri Apr 3 13:06:18 UTC 2015
On Thu, 2015-04-02 at 17:33 -0400, Prasun Gera wrote:
> I had a look at ldap/servers/plugins/pwdstorage/crypt_pwd.c, and it looks
> like it is hardcoded in crypt_pw_enc, which uses the default DES crypt
> method. This only affects the encoding. The verification of passwords works
> with any of MD5 or SHA-* schemes since the underlying crypt function in
> recent glibcs supports them. Would it make sense to add the other options
> to the encoding function ?
You should probably pose that question to the 389ds team.
>From the IPA pov, these hashes are legacy and not needed because we
*strongly* discourage users from distributing hashes around and
recommend hashes are not made available. Rather users should use
kerberos, or as a less desirable alternative LDAP simple binds to
authenticate. Brute forcing weak passwords even w/o random tables is
easy these days with the available on-demand computing power provided by
cloud operators, so distributing hashes is riskier than ever, especially
old hashes based on DES or MD5, but SHA-1 is not far down the list.
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list