On Thu, 2015-04-02 at 17:33 -0400, Prasun Gera wrote:
> I had a look at ldap/servers/plugins/pwdstorage/crypt_pwd.c, and it looks
> like it is hardcoded in crypt_pw_enc, which uses the default DES crypt
> method. This only affects the encoding. The verification of passwords works
> with any of MD5 or SHA-* schemes since the underlying crypt function in
> recent glibcs supports them. Would it make sense to add the other options
> to the encoding function ?

You should probably pose that question to the 389ds team.
>From the IPA pov, these hashes are legacy and not needed because we
*strongly* discourage users from distributing hashes around and
recommend hashes are not made available. Rather users should use
kerberos, or as a less desirable alternative LDAP simple binds to
authenticate. Brute forcing weak passwords even w/o random tables is
easy these days with the available on-demand computing power provided by
cloud operators, so distributing hashes is riskier than ever, especially
old hashes based on DES or MD5, but SHA-1 is not far down the list.


Simo Sorce * Red Hat, Inc * New York

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to