On 01/22/2015 01:47 PM, Alon Bar-Lev wrote:
>
> ----- Original Message -----
>> From: "Jorick Astrego" <j.astr...@netbulae.eu>
>> To: users@ovirt.org
>> Sent: Thursday, January 22, 2015 2:30:30 PM
>> Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa
>>
>>>>>> Just a couple of addtions, please hash the password with SSHA (I really
>>>>>> hate
>>>>>> plain text admin passwords...)
>>>>>> I tried putting an {SSHA} encoded password in " vars.password =" , but
>>>>>> it
>>>>>> fails to authenticate while plain text works fine.
>>>>> I am unsure I understand.
>>>>> using hash to store password hint at server side makes sense.
>>>>> but using hash to store password at client side does not makes sens, this
>>>>> means that if I get the server database I can authenticate to any user
>>>>> without knowing his password.
>>>>>
>>>>> Also, please note that the user you specify within configuration should
>>>>> not
>>>>> have any special privilege but to query public objects within ldap.
>>>> I don't like storing plain text in textfiles, so I try to avoid it. Even
>>>> if it is a read only user there are no "public" objects that I like to
>>>> expose to anyone. I can query groups, group members, e-mail addresses,
>>>> krbPasswordExpiration, krbLastPwdChange etc. with this user.
>>>>
>>>> So that's why I try to have the bind user password hashed in the
>>>> properties file.
>>> as I wrote above, storing hash instead of password does not enhance
>>> security.
>>> it is the same as if you just set the user's password to the hash.
>> Ah yes, silly me. You are absolutely
>> right. It has been such a long
>> habit... But it does help when people intercept the traffic.
> No it is not... exactly the opposite... if the hash is sent it is actually
> weaker than password, as it has lower diversity.
> If you wish you can enable digest-MD5 and use SASL, but still you must store
> the plain password at client side.
>
>> Does the
>> ldap plugin send it hashed to the ldap server?
>>
>> I think FreeIPA supports salted sha512 but I'm not entirely sure.
>>
>> You'll probably say that I need to enable TLS, but there have been many
>> weaknesses in ssl and MITM issues. So more is always better in a
>> security perspective.
>>
> Using plain protocol will always be weaker than using TLS, even if you use
> digest-MD5, kerberos or any other challenge-response mechanism.
> As the password must be kept at client side no mater what protocol you use,
> using TLS and simple bind is the minimum you can have.
> I believe that TLS + simple bind is sufficient for most usages for a user
> that has no special access to information.
> From my experience enabling SASL does have its issues, but you may want to
> check it out if you do not trust TLS, but even if you use SASL, better to use
> it over TLS.
>
> Alon
Thanks for clarifying! So I was thought wrong all these years ago ;-)
Met vriendelijke groet, With kind regards,
Jorick Astrego
Netbulae Virtualization Experts
----------------
Tel: 053 20 30 270 i...@netbulae.eu Staalsteden 4-3A
KvK 08198180
Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede
BTW NL821234584B01
----------------
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
