Re: [Freeipa-devel] Consistent password hashing and lookups
On 05/12/2014 10:37 PM, James wrote: On Mon, May 12, 2014 at 6:22 PM, Dmitri Pal d...@redhat.com wrote: On 05/12/2014 06:07 PM, James wrote: On Mon, 2014-05-12 at 17:56 -0400, Dmitri Pal wrote: Is there any other attribute to look at? For example the timestamp when it was last set and base the update on that rather than on matching password values? There are some other solutions, but they are less elegant or don't work consistently. (Eg: bad hacks) I would argue that comparing hashes is the worst hack ever. Can you create a file once you set a password to indicate that password is set? Not possible... Bottom line - I do not like the approach you are trying to implement and I do not want you to find a way to solve this problem by comparing hashes. It is not a good security hygiene. I would rather suggest patches to puppet to address the issue properly than aid you on this path. I think you are missing the point... It is a bit subtle. Puppet is weird :) Here's what I'll do. I'll finish my other password related work, and then I'll post back with my complete feature branch minus the missing commands that I'm hoping to learn from the ML. I think you'll realize what I'm doing makes a lot of sense. I think you'll also soon agree that I have the only puppet module out there that is managing passwords responsibly. The status quo is that people are storing cleartext passwords _in puppet! This is their problem. Why would we aid them to do wrong things and make it easier? I really miss the point. Why it is all needed? Why do you need to reset passwords in IPA through puppet? What is the use case? tsk tsk. In any case, since when did a project stop it's users from shooting themselves in the foot if they thought that was right? Cheers, James Sorry ;-) -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Consistent password hashing and lookups
On Tue, May 13, 2014 at 10:36 AM, Dmitri Pal d...@redhat.com wrote: This is their problem. Why would we aid them to do wrong things and make it easier? I really miss the point. Why it is all needed? Why do you need to reset passwords in IPA through puppet? What is the use case? Give me about a week and I'll post some finished code :) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Consistent password hashing and lookups
- Original Message - On Mon, 2014-05-12 at 17:56 -0400, Dmitri Pal wrote: Is there any other attribute to look at? For example the timestamp when it was last set and base the update on that rather than on matching password values? There are some other solutions, but they are less elegant or don't work consistently. (Eg: bad hacks) Reading userPassword is a bad hack, that will stop working as soon as we decide to change the default hash type. Do yourself a favor, use a simple bind to check the user password. If the bind succedes you have the right password, and you stop. If it fails you just override the password with whatever you have in puppet. Simo. -- Simo Sorce * Red Hat, Inc. * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Consistent password hashing and lookups
b- Original Message - On Mon, May 12, 2014 at 6:22 PM, Dmitri Pal d...@redhat.com wrote: On 05/12/2014 06:07 PM, James wrote: On Mon, 2014-05-12 at 17:56 -0400, Dmitri Pal wrote: Is there any other attribute to look at? For example the timestamp when it was last set and base the update on that rather than on matching password values? There are some other solutions, but they are less elegant or don't work consistently. (Eg: bad hacks) I would argue that comparing hashes is the worst hack ever. Can you create a file once you set a password to indicate that password is set? Not possible... Bottom line - I do not like the approach you are trying to implement and I do not want you to find a way to solve this problem by comparing hashes. It is not a good security hygiene. I would rather suggest patches to puppet to address the issue properly than aid you on this path. I think you are missing the point... It is a bit subtle. Puppet is weird :) Here's what I'll do. I'll finish my other password related work, and then I'll post back with my complete feature branch minus the missing commands that I'm hoping to learn from the ML. I think you'll realize what I'm doing makes a lot of sense. I think you'll also soon agree that I have the only puppet module out there that is managing passwords responsibly. The status quo is that people are storing cleartext passwords _in puppet! tsk tsk. In any case, since when did a project stop it's users from shooting themselves in the foot if they thought that was right? It is completely unclear to me how you plan to change a password without having the clear text (or equivalent) password. If what you are planning to do is to just write the alreay hashed password in userPassword, it will not work. To add to that, I do not understand why you would do password mangement via puppet, you do not nee dto change local files, FreeIPA is a networked server and you can change passwords over the network already, why would you want to distribute them via puppet ?? Simo. -- Simo Sorce * Red Hat, Inc. * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Consistent password hashing and lookups
On 05/12/2014 03:47 AM, James wrote: On Sun, May 11, 2014 at 9:02 PM, Dmitri Pal d...@redhat.com wrote: On 05/11/2014 06:31 PM, James wrote: On Sun, May 11, 2014 at 3:04 PM, Dmitri Pal d...@redhat.com wrote: This is scary. This means that you expecting to have a hash being stored somewhere else outside the DS. Haha, I agree! Actually, worse! I will have the plain text password stored somewhere outside the DS! Let me give you more background: I think this is an atrociously bad idea. However *everybody* stores password credentials poorly in puppet. So in order to do it properly, I've gone to great lengths to support something smarter for puppet-ipa. Most of the code is already done. Which module do you want me to look at? I am not going to review your whole project :-) I just posted it for fun. I wasn't looking for a review, though! The technique is rather complicated, so I'm going to save it for a longer blog post write up when it's finished. https://github.com/purpleidea/puppet-ipa/tree/feat/better-pw You'll be very pleased to know it doesn't do anything bad! BUT: I am still going to support the bad method of storing the actual password in puppet. Sad, but still used. So I do need to know how to do this bad thing, but if you look at my code, you'll see I'm doing something clever. Once it's all done and tested, I'll blog about it and announce the technique publicly. Can you describe the workflow? You want to be able to reset the admin password, right? How do you bind? Using same admin password? Or keytab? I don't bind. I'm running as root on the free-ipa server. But to do an LDAP operation you still need to connect to LDAP. You can use LDAPI in this case but then you do not need to authentocate at all, I think in this case you should be able to overwrite the password without knowing the old one. I do not think we should promote bad and insecure practices around the security product. That defeats the purpose. I strongle suggest avoiding saving any password and resetting the existing password using local root. I think it is possible. If not we need to think about the proper way of solving your use case. Agreed. Which is why I posted the feature branch early, to hopefully convince the ipa community that I'm going about the password stuff the right way. Anyways, back to the question: What commands can I use to look up the hash, and compute the hash? (Or simply test if a string password matches the stored password.) Same questions for the DM password. Thanks! I sense some very black magic happening in this thread... I do not see any reason for storing the password or hash of the password outside of FreeIPA. As you said, you have a local root access to IPA machine, you can then bind as Directory Manager and see or change any password. 1) Get fbar1;s b64 encoded password hash: # ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket -b 'uid=fbar1,cn=users,cn=accounts,dc=example,dc=com' userPassword 2) Forcefully change fbar1's password: # ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket 'uid=fbar1,cn=users,cn=accounts,dc=example,dc=com' -s newpassword Note that the user fbar1 will not be prompted for the new password as the password was changed by DM. As Dmitri wrote, a safer and a better approach would be to have the script run as a special/system user with appropriate privilege, authenticated with a keytab. Such user could then just call ipa passwd FreeIPA command. If you are interested in resetting DM password, you can check: https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Installation_Guide/Installation_Guide-Common_Usage-Resetting_Passwords.html and http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Consistent password hashing and lookups
On Mon, 12 May 2014, Martin Kosek wrote: On 05/12/2014 03:47 AM, James wrote: On Sun, May 11, 2014 at 9:02 PM, Dmitri Pal d...@redhat.com wrote: On 05/11/2014 06:31 PM, James wrote: On Sun, May 11, 2014 at 3:04 PM, Dmitri Pal d...@redhat.com wrote: This is scary. This means that you expecting to have a hash being stored somewhere else outside the DS. Haha, I agree! Actually, worse! I will have the plain text password stored somewhere outside the DS! Let me give you more background: I think this is an atrociously bad idea. However *everybody* stores password credentials poorly in puppet. So in order to do it properly, I've gone to great lengths to support something smarter for puppet-ipa. Most of the code is already done. Which module do you want me to look at? I am not going to review your whole project :-) I just posted it for fun. I wasn't looking for a review, though! The technique is rather complicated, so I'm going to save it for a longer blog post write up when it's finished. https://github.com/purpleidea/puppet-ipa/tree/feat/better-pw You'll be very pleased to know it doesn't do anything bad! BUT: I am still going to support the bad method of storing the actual password in puppet. Sad, but still used. So I do need to know how to do this bad thing, but if you look at my code, you'll see I'm doing something clever. Once it's all done and tested, I'll blog about it and announce the technique publicly. Can you describe the workflow? You want to be able to reset the admin password, right? How do you bind? Using same admin password? Or keytab? I don't bind. I'm running as root on the free-ipa server. But to do an LDAP operation you still need to connect to LDAP. You can use LDAPI in this case but then you do not need to authentocate at all, I think in this case you should be able to overwrite the password without knowing the old one. I do not think we should promote bad and insecure practices around the security product. That defeats the purpose. I strongle suggest avoiding saving any password and resetting the existing password using local root. I think it is possible. If not we need to think about the proper way of solving your use case. Agreed. Which is why I posted the feature branch early, to hopefully convince the ipa community that I'm going about the password stuff the right way. Anyways, back to the question: What commands can I use to look up the hash, and compute the hash? (Or simply test if a string password matches the stored password.) Same questions for the DM password. Thanks! I sense some very black magic happening in this thread... I do not see any reason for storing the password or hash of the password outside of FreeIPA. As you said, you have a local root access to IPA machine, you can then bind as Directory Manager and see or change any password. 1) Get fbar1;s b64 encoded password hash: # ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket -b 'uid=fbar1,cn=users,cn=accounts,dc=example,dc=com' userPassword 2) Forcefully change fbar1's password: # ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket 'uid=fbar1,cn=users,cn=accounts,dc=example,dc=com' -s newpassword s/ldapsearch/ldappasswd/ Note that the user fbar1 will not be prompted for the new password as the password was changed by DM. As Dmitri wrote, a safer and a better approach would be to have the script run as a special/system user with appropriate privilege, authenticated with a keytab. Such user could then just call ipa passwd FreeIPA command. I think the point here is that puppet-ipa module is run by puppet under root account already, so ldappasswd using ldapi with external auth under root is enough. Introducing another user when you are already root seems to be a bit overbloat in puppet's case. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Consistent password hashing and lookups
On 05/12/2014 03:43 AM, Alexander Bokovoy wrote: On Mon, 12 May 2014, Martin Kosek wrote: On 05/12/2014 03:47 AM, James wrote: On Sun, May 11, 2014 at 9:02 PM, Dmitri Pal d...@redhat.com wrote: On 05/11/2014 06:31 PM, James wrote: On Sun, May 11, 2014 at 3:04 PM, Dmitri Pal d...@redhat.com wrote: This is scary. This means that you expecting to have a hash being stored somewhere else outside the DS. Haha, I agree! Actually, worse! I will have the plain text password stored somewhere outside the DS! Let me give you more background: I think this is an atrociously bad idea. However *everybody* stores password credentials poorly in puppet. So in order to do it properly, I've gone to great lengths to support something smarter for puppet-ipa. Most of the code is already done. Which module do you want me to look at? I am not going to review your whole project :-) I just posted it for fun. I wasn't looking for a review, though! The technique is rather complicated, so I'm going to save it for a longer blog post write up when it's finished. https://github.com/purpleidea/puppet-ipa/tree/feat/better-pw You'll be very pleased to know it doesn't do anything bad! BUT: I am still going to support the bad method of storing the actual password in puppet. Sad, but still used. So I do need to know how to do this bad thing, but if you look at my code, you'll see I'm doing something clever. Once it's all done and tested, I'll blog about it and announce the technique publicly. Can you describe the workflow? You want to be able to reset the admin password, right? How do you bind? Using same admin password? Or keytab? I don't bind. I'm running as root on the free-ipa server. But to do an LDAP operation you still need to connect to LDAP. You can use LDAPI in this case but then you do not need to authentocate at all, I think in this case you should be able to overwrite the password without knowing the old one. I do not think we should promote bad and insecure practices around the security product. That defeats the purpose. I strongle suggest avoiding saving any password and resetting the existing password using local root. I think it is possible. If not we need to think about the proper way of solving your use case. Agreed. Which is why I posted the feature branch early, to hopefully convince the ipa community that I'm going about the password stuff the right way. Anyways, back to the question: What commands can I use to look up the hash, and compute the hash? (Or simply test if a string password matches the stored password.) Same questions for the DM password. Thanks! I sense some very black magic happening in this thread... I do not see any reason for storing the password or hash of the password outside of FreeIPA. As you said, you have a local root access to IPA machine, you can then bind as Directory Manager and see or change any password. 1) Get fbar1;s b64 encoded password hash: # ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket -b 'uid=fbar1,cn=users,cn=accounts,dc=example,dc=com' userPassword 2) Forcefully change fbar1's password: # ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket 'uid=fbar1,cn=users,cn=accounts,dc=example,dc=com' -s newpassword s/ldapsearch/ldappasswd/ Note that the user fbar1 will not be prompted for the new password as the password was changed by DM. As Dmitri wrote, a safer and a better approach would be to have the script run as a special/system user with appropriate privilege, authenticated with a keytab. Such user could then just call ipa passwd FreeIPA command. I think the point here is that puppet-ipa module is run by puppet under root account already, so ldappasswd using ldapi with external auth under root is enough. Introducing another user when you are already root seems to be a bit overbloat in puppet's case. Yes and this was my point too. If you have root you do not need to know the old password. You can just reset the current one to what you want. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Consistent password hashing and lookups
On Mon, 2014-05-12 at 16:25 -0400, Dmitri Pal wrote: Yes and this was my point too. If you have root you do not need to know the old password. You can just reset the current one to what you want. I agree, with you. This isn't about functionality, it's about automating functionality. Puppet needs to know if the stored password matches the password it thinks is correct. Without this it would just try and run setpassword each run. I will test Martin's command shortly :) Cheers! signature.asc Description: This is a digitally signed message part ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Consistent password hashing and lookups
On Mon, 2014-05-12 at 09:11 +0200, Martin Kosek wrote: 1) Get fbar1;s b64 encoded password hash: # ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun% 2fslapd-EXAMPLE-COM.socket -b 'uid=fbar1,cn=users,cn=accounts,dc=example,dc=com' userPassword This seems to work great. I used user 'admin'. I assume this is the same admin user. 1) Is this command something that is stable for use in scripting, or is there a more machine-readable recommended way? 2) How can I compute/compare that hash to my password string? password I selected is 'password'. :) Thanks again! Output is: [root@ipa ~]# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun% 2fslapd-EXAMPLE-COM.socket -b 'uid=admin,cn=users,cn=accounts,dc=example,dc=com' userPassword SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base uid=admin,cn=users,cn=accounts,dc=example,dc=com with scope subtree # filter: (objectclass=*) # requesting: userPassword # # admin, users, accounts, example.com dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com userPassword:: e1NTSEF9cjc0OGc3ZThnY1FsWVpwVFNqWU8yMDAreTF2WEZNRjVUSXBQV3c9PQ= = # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@ipa ~]# signature.asc Description: This is a digitally signed message part ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Consistent password hashing and lookups
On 05/12/2014 04:28 PM, James wrote: On Mon, 2014-05-12 at 16:25 -0400, Dmitri Pal wrote: Yes and this was my point too. If you have root you do not need to know the old password. You can just reset the current one to what you want. I agree, with you. This isn't about functionality, it's about automating functionality. Puppet needs to know if the stored password matches the password it thinks is correct. Without this it would just try and run setpassword each run. I will test Martin's command shortly :) Cheers! Is there any other attribute to look at? For example the timestamp when it was last set and base the update on that rather than on matching password values? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Consistent password hashing and lookups
On Mon, 2014-05-12 at 17:56 -0400, Dmitri Pal wrote: Is there any other attribute to look at? For example the timestamp when it was last set and base the update on that rather than on matching password values? There are some other solutions, but they are less elegant or don't work consistently. (Eg: bad hacks) signature.asc Description: This is a digitally signed message part ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Consistent password hashing and lookups
On 05/12/2014 06:07 PM, James wrote: On Mon, 2014-05-12 at 17:56 -0400, Dmitri Pal wrote: Is there any other attribute to look at? For example the timestamp when it was last set and base the update on that rather than on matching password values? There are some other solutions, but they are less elegant or don't work consistently. (Eg: bad hacks) I would argue that comparing hashes is the worst hack ever. Can you create a file once you set a password to indicate that password is set? Bottom line - I do not like the approach you are trying to implement and I do not want you to find a way to solve this problem by comparing hashes. It is not a good security hygiene. I would rather suggest patches to puppet to address the issue properly than aid you on this path. Sorry ;-) -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Consistent password hashing and lookups
Hi #freeipa, I'm working on improving my puppet-ipa module... One area I'm working on is better password management... In any case, here's the problem: I want to give the script the ability to change it. The easy way to do this is to compare what it is currently, to what it is set to. As I'm assuming it's hashed, you have to compare hashes, IOW: /usr/bin/test `hashed(somepass)` = `function_lookup_hash()` Assuming the admin password is stored as a deterministic hash, I need two things: 1) To know how to run the hashing function manually (say from python) 2) To know how to lookup the stored hash manually (say from python) Thanks to ab (#freeipa), I know how to set the admin password: # split by the periods! $domain_split = split(${valid_domain}, '\.') # add dc= to each array element $prefix = prefix($domain_split, 'dc=') $suffix = join($prefix, ',')# eg: dc=example,dc=com $socket_realm = regsubst(${valid_realm}, '\.', '-', 'G') $ldapuri = ldapi://%2fvar%2frun%2fslapd-${socket_realm}.socket $admin_password_change = /usr/bin/ldappasswd -Y EXTERNAL -s ` ${admin_password_exec}` -H ${ldapuri} uid=admin,cn=users,cn=accounts, ${suffix} I also have the same question for the DM password, however I don't yet know how to set it. If someone has a script for that, I'd love that too! Thanks again! James signature.asc Description: This is a digitally signed message part ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Consistent password hashing and lookups
On 05/11/2014 01:27 PM, James wrote: Hi #freeipa, I'm working on improving my puppet-ipa module... One area I'm working on is better password management... In any case, here's the problem: I want to give the script the ability to change it. The easy way to do this is to compare what it is currently, to what it is set to. As I'm assuming it's hashed, you have to compare hashes, IOW: /usr/bin/test `hashed(somepass)` = `function_lookup_hash()` This is scary. This means that you expecting to have a hash being stored somewhere else outside the DS. Can you describe the workflow? You want to be able to reset the admin password, right? How do you bind? Using same admin password? Or keytab? Assuming the admin password is stored as a deterministic hash, I need two things: 1) To know how to run the hashing function manually (say from python) 2) To know how to lookup the stored hash manually (say from python) Thanks to ab (#freeipa), I know how to set the admin password: # split by the periods! $domain_split = split(${valid_domain}, '\.') # add dc= to each array element $prefix = prefix($domain_split, 'dc=') $suffix = join($prefix, ',')# eg: dc=example,dc=com $socket_realm = regsubst(${valid_realm}, '\.', '-', 'G') $ldapuri = ldapi://%2fvar%2frun%2fslapd-${socket_realm}.socket $admin_password_change = /usr/bin/ldappasswd -Y EXTERNAL -s ` ${admin_password_exec}` -H ${ldapuri} uid=admin,cn=users,cn=accounts, ${suffix} I also have the same question for the DM password, however I don't yet know how to set it. If someone has a script for that, I'd love that too! Thanks again! James ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Consistent password hashing and lookups
On Sun, May 11, 2014 at 3:04 PM, Dmitri Pal d...@redhat.com wrote: This is scary. This means that you expecting to have a hash being stored somewhere else outside the DS. Haha, I agree! Actually, worse! I will have the plain text password stored somewhere outside the DS! Let me give you more background: I think this is an atrociously bad idea. However *everybody* stores password credentials poorly in puppet. So in order to do it properly, I've gone to great lengths to support something smarter for puppet-ipa. Most of the code is already done. https://github.com/purpleidea/puppet-ipa/tree/feat/better-pw You'll be very pleased to know it doesn't do anything bad! BUT: I am still going to support the bad method of storing the actual password in puppet. Sad, but still used. So I do need to know how to do this bad thing, but if you look at my code, you'll see I'm doing something clever. Once it's all done and tested, I'll blog about it and announce the technique publicly. Can you describe the workflow? You want to be able to reset the admin password, right? How do you bind? Using same admin password? Or keytab? I don't bind. I'm running as root on the free-ipa server. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Consistent password hashing and lookups
On 05/11/2014 06:31 PM, James wrote: On Sun, May 11, 2014 at 3:04 PM, Dmitri Pal d...@redhat.com wrote: This is scary. This means that you expecting to have a hash being stored somewhere else outside the DS. Haha, I agree! Actually, worse! I will have the plain text password stored somewhere outside the DS! Let me give you more background: I think this is an atrociously bad idea. However *everybody* stores password credentials poorly in puppet. So in order to do it properly, I've gone to great lengths to support something smarter for puppet-ipa. Most of the code is already done. Which module do you want me to look at? I am not going to review your whole project :-) https://github.com/purpleidea/puppet-ipa/tree/feat/better-pw You'll be very pleased to know it doesn't do anything bad! BUT: I am still going to support the bad method of storing the actual password in puppet. Sad, but still used. So I do need to know how to do this bad thing, but if you look at my code, you'll see I'm doing something clever. Once it's all done and tested, I'll blog about it and announce the technique publicly. Can you describe the workflow? You want to be able to reset the admin password, right? How do you bind? Using same admin password? Or keytab? I don't bind. I'm running as root on the free-ipa server. But to do an LDAP operation you still need to connect to LDAP. You can use LDAPI in this case but then you do not need to authentocate at all, I think in this case you should be able to overwrite the password without knowing the old one. I do not think we should promote bad and insecure practices around the security product. That defeats the purpose. I strongle suggest avoiding saving any password and resetting the existing password using local root. I think it is possible. If not we need to think about the proper way of solving your use case. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Consistent password hashing and lookups
On Sun, May 11, 2014 at 9:02 PM, Dmitri Pal d...@redhat.com wrote: On 05/11/2014 06:31 PM, James wrote: On Sun, May 11, 2014 at 3:04 PM, Dmitri Pal d...@redhat.com wrote: This is scary. This means that you expecting to have a hash being stored somewhere else outside the DS. Haha, I agree! Actually, worse! I will have the plain text password stored somewhere outside the DS! Let me give you more background: I think this is an atrociously bad idea. However *everybody* stores password credentials poorly in puppet. So in order to do it properly, I've gone to great lengths to support something smarter for puppet-ipa. Most of the code is already done. Which module do you want me to look at? I am not going to review your whole project :-) I just posted it for fun. I wasn't looking for a review, though! The technique is rather complicated, so I'm going to save it for a longer blog post write up when it's finished. https://github.com/purpleidea/puppet-ipa/tree/feat/better-pw You'll be very pleased to know it doesn't do anything bad! BUT: I am still going to support the bad method of storing the actual password in puppet. Sad, but still used. So I do need to know how to do this bad thing, but if you look at my code, you'll see I'm doing something clever. Once it's all done and tested, I'll blog about it and announce the technique publicly. Can you describe the workflow? You want to be able to reset the admin password, right? How do you bind? Using same admin password? Or keytab? I don't bind. I'm running as root on the free-ipa server. But to do an LDAP operation you still need to connect to LDAP. You can use LDAPI in this case but then you do not need to authentocate at all, I think in this case you should be able to overwrite the password without knowing the old one. I do not think we should promote bad and insecure practices around the security product. That defeats the purpose. I strongle suggest avoiding saving any password and resetting the existing password using local root. I think it is possible. If not we need to think about the proper way of solving your use case. Agreed. Which is why I posted the feature branch early, to hopefully convince the ipa community that I'm going about the password stuff the right way. Anyways, back to the question: What commands can I use to look up the hash, and compute the hash? (Or simply test if a string password matches the stored password.) Same questions for the DM password. Thanks! -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel