Walter Meyer wrote:
I will see if Salted SHA1 is supported and maybe Google hasn't documented it yet. If not, the sync is done with the Google Servers over SSL. And if only the Directory Manager can read the userPassword attribute, would storing the userPassword attribute in SHA1 be that insecure? What scenario could the passwords be compromised if I went with this setup? Unless the Directory Manager account was compromised wouldn't this be secure if all of the data was being transmitted over SSL?

Also all logins to Google Apps are encrypted with SSL.

Ok, the SSL usage makes me feel better. Using a weaker password encryption scheme isn't ideal but if you are protecting transmission of it you are probably ok. The risk is that if somehow the hash did get exposed it is relatively easier to crack it than a salted hash. Risk is something you'll need to weigh specific to your environment, this may be acceptable. It doesn't make my alarm bells go off but I'm a pretty laid back guy :-)

In fact, this would be very cool if it worked. You might want to file an RFE with the nice folks at Google to see if they'll support salted hashes if they don't now and potentially move to a more secure environment later.

As Simo pointed out you'll want to modify the default password encryption scheme before adding your users so you don't have to force round after round of password changes on them.

If you decide to try it out let us know how it works.



Freeipa-users mailing list

Reply via email to