[Freeipa-devel] Consistent password hashing and lookups
Hi #freeipa, I'm working on improving my puppet-ipa module... One area I'm working on is better password management... In any case, here's the problem: I want to give the script the ability to change it. The easy way to do this is to compare what it is currently, to what it is set to. As I'm assuming it's hashed, you have to compare hashes, IOW: /usr/bin/test `hashed(somepass)` = `function_lookup_hash()` Assuming the admin password is stored as a deterministic hash, I need two things: 1) To know how to run the hashing function manually (say from python) 2) To know how to lookup the stored hash manually (say from python) Thanks to ab (#freeipa), I know how to set the admin password: # split by the periods! $domain_split = split(${valid_domain}, '\.') # add dc= to each array element $prefix = prefix($domain_split, 'dc=') $suffix = join($prefix, ',')# eg: dc=example,dc=com $socket_realm = regsubst(${valid_realm}, '\.', '-', 'G') $ldapuri = ldapi://%2fvar%2frun%2fslapd-${socket_realm}.socket $admin_password_change = /usr/bin/ldappasswd -Y EXTERNAL -s ` ${admin_password_exec}` -H ${ldapuri} uid=admin,cn=users,cn=accounts, ${suffix} I also have the same question for the DM password, however I don't yet know how to set it. If someone has a script for that, I'd love that too! Thanks again! James signature.asc Description: This is a digitally signed message part ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA on AWS EC2
On 05/09/2014 10:01 PM, daiEric wrote: hi Is there any solution to deploy FreeIpa on ubuntu linux? I thought we did a lot to make this happen and it is now possible but to be fair I did not see any instructions and guidelines so I am not sure. thanks Eric dai 在 2014年5月10日,4:01,Martin Kosek mko...@redhat.com 写道: On 05/08/2014 06:55 PM, Dmitri Pal wrote: On 05/08/2014 11:59 AM, Hendri Morris wrote: Is there any plan to bring FreeIPA to Amazon AWS EC2? At this point the client doesn't even install on Amazon Linux (Redhat Clone Optimized for AWS). Goes straight to dependency hell. I deployed a multi-server FreeIPA in a enterprise environment and absolutely love the product. Please add AWS to the roadmap! https://owa.telit.com/owa/CookieAuth.dll?ae=Itema=Newt=IPM.Notecc=MTQuMy4xNTguMSxlbi1VUyw0Mjk0OTY3Mjk1LEhUTUwsMCwwpspid=_1399557927266_619631222# https://owa.telit.com/owa/CookieAuth.dll?ae=Itema=Newt=IPM.Notecc=MTQuMy4xNTguMSxlbi1VUyw0Mjk0OTY3Mjk1LEhUTUwsMCwwpspid=_1399557927266_619631222# *www.ilstechnology.com* http://www.ilstechnology.com ** *Hendri Morris* Senior Cloud Engineer deviceWISE Operations This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Have you tried this? http://cloud-mechanic.blogspot.com/2013/10/diversion-kerberos-freeipa-in-aws-ec2.html Great to hear you like FreeIPA! As you get in a dependency hell, I would assume it is not a problem of FreeIPA vs. AWS, but rather some packaging issue in your image of choice (i.e. the Red Hat clone). I personally tried deploying FreeIPA in Red Hat OpenStack instance for a public demo testing instance and did not hit much resistance. You just need to keep your hostname static (did with cloud-init) and make sure the DNS is sane and it should work ok. I plan to write some article about the OpenStack demo soon, stay tuned. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Consistent password hashing and lookups
On 05/11/2014 01:27 PM, James wrote: Hi #freeipa, I'm working on improving my puppet-ipa module... One area I'm working on is better password management... In any case, here's the problem: I want to give the script the ability to change it. The easy way to do this is to compare what it is currently, to what it is set to. As I'm assuming it's hashed, you have to compare hashes, IOW: /usr/bin/test `hashed(somepass)` = `function_lookup_hash()` This is scary. This means that you expecting to have a hash being stored somewhere else outside the DS. Can you describe the workflow? You want to be able to reset the admin password, right? How do you bind? Using same admin password? Or keytab? Assuming the admin password is stored as a deterministic hash, I need two things: 1) To know how to run the hashing function manually (say from python) 2) To know how to lookup the stored hash manually (say from python) Thanks to ab (#freeipa), I know how to set the admin password: # split by the periods! $domain_split = split(${valid_domain}, '\.') # add dc= to each array element $prefix = prefix($domain_split, 'dc=') $suffix = join($prefix, ',')# eg: dc=example,dc=com $socket_realm = regsubst(${valid_realm}, '\.', '-', 'G') $ldapuri = ldapi://%2fvar%2frun%2fslapd-${socket_realm}.socket $admin_password_change = /usr/bin/ldappasswd -Y EXTERNAL -s ` ${admin_password_exec}` -H ${ldapuri} uid=admin,cn=users,cn=accounts, ${suffix} I also have the same question for the DM password, however I don't yet know how to set it. If someone has a script for that, I'd love that too! Thanks again! James ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Consistent password hashing and lookups
On Sun, May 11, 2014 at 3:04 PM, Dmitri Pal d...@redhat.com wrote: This is scary. This means that you expecting to have a hash being stored somewhere else outside the DS. Haha, I agree! Actually, worse! I will have the plain text password stored somewhere outside the DS! Let me give you more background: I think this is an atrociously bad idea. However *everybody* stores password credentials poorly in puppet. So in order to do it properly, I've gone to great lengths to support something smarter for puppet-ipa. Most of the code is already done. https://github.com/purpleidea/puppet-ipa/tree/feat/better-pw You'll be very pleased to know it doesn't do anything bad! BUT: I am still going to support the bad method of storing the actual password in puppet. Sad, but still used. So I do need to know how to do this bad thing, but if you look at my code, you'll see I'm doing something clever. Once it's all done and tested, I'll blog about it and announce the technique publicly. Can you describe the workflow? You want to be able to reset the admin password, right? How do you bind? Using same admin password? Or keytab? I don't bind. I'm running as root on the free-ipa server. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Consistent password hashing and lookups
On 05/11/2014 06:31 PM, James wrote: On Sun, May 11, 2014 at 3:04 PM, Dmitri Pal d...@redhat.com wrote: This is scary. This means that you expecting to have a hash being stored somewhere else outside the DS. Haha, I agree! Actually, worse! I will have the plain text password stored somewhere outside the DS! Let me give you more background: I think this is an atrociously bad idea. However *everybody* stores password credentials poorly in puppet. So in order to do it properly, I've gone to great lengths to support something smarter for puppet-ipa. Most of the code is already done. Which module do you want me to look at? I am not going to review your whole project :-) https://github.com/purpleidea/puppet-ipa/tree/feat/better-pw You'll be very pleased to know it doesn't do anything bad! BUT: I am still going to support the bad method of storing the actual password in puppet. Sad, but still used. So I do need to know how to do this bad thing, but if you look at my code, you'll see I'm doing something clever. Once it's all done and tested, I'll blog about it and announce the technique publicly. Can you describe the workflow? You want to be able to reset the admin password, right? How do you bind? Using same admin password? Or keytab? I don't bind. I'm running as root on the free-ipa server. But to do an LDAP operation you still need to connect to LDAP. You can use LDAPI in this case but then you do not need to authentocate at all, I think in this case you should be able to overwrite the password without knowing the old one. I do not think we should promote bad and insecure practices around the security product. That defeats the purpose. I strongle suggest avoiding saving any password and resetting the existing password using local root. I think it is possible. If not we need to think about the proper way of solving your use case. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Consistent password hashing and lookups
On Sun, May 11, 2014 at 9:02 PM, Dmitri Pal d...@redhat.com wrote: On 05/11/2014 06:31 PM, James wrote: On Sun, May 11, 2014 at 3:04 PM, Dmitri Pal d...@redhat.com wrote: This is scary. This means that you expecting to have a hash being stored somewhere else outside the DS. Haha, I agree! Actually, worse! I will have the plain text password stored somewhere outside the DS! Let me give you more background: I think this is an atrociously bad idea. However *everybody* stores password credentials poorly in puppet. So in order to do it properly, I've gone to great lengths to support something smarter for puppet-ipa. Most of the code is already done. Which module do you want me to look at? I am not going to review your whole project :-) I just posted it for fun. I wasn't looking for a review, though! The technique is rather complicated, so I'm going to save it for a longer blog post write up when it's finished. https://github.com/purpleidea/puppet-ipa/tree/feat/better-pw You'll be very pleased to know it doesn't do anything bad! BUT: I am still going to support the bad method of storing the actual password in puppet. Sad, but still used. So I do need to know how to do this bad thing, but if you look at my code, you'll see I'm doing something clever. Once it's all done and tested, I'll blog about it and announce the technique publicly. Can you describe the workflow? You want to be able to reset the admin password, right? How do you bind? Using same admin password? Or keytab? I don't bind. I'm running as root on the free-ipa server. But to do an LDAP operation you still need to connect to LDAP. You can use LDAPI in this case but then you do not need to authentocate at all, I think in this case you should be able to overwrite the password without knowing the old one. I do not think we should promote bad and insecure practices around the security product. That defeats the purpose. I strongle suggest avoiding saving any password and resetting the existing password using local root. I think it is possible. If not we need to think about the proper way of solving your use case. Agreed. Which is why I posted the feature branch early, to hopefully convince the ipa community that I'm going about the password stuff the right way. Anyways, back to the question: What commands can I use to look up the hash, and compute the hash? (Or simply test if a string password matches the stored password.) Same questions for the DM password. Thanks! -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel