<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 01/15/2014 10:38 AM, Richard Mixon
wrote:<br>
</div>
<blockquote
cite="mid:CAG39G0SKenO2P-TcxORS9AqgZb=2Grsy3GZHbzWWLtSc8fb6Tw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>During the bind process is there anyway to tell 389
directory server to hash a plaintext password n (multiple)
times before trying to compare to what is stored?<br>
<br>
I am trying to implement something similar to what's described
in this article:<br>
<a moz-do-not-send="true"
href="http://www.stormpath.com/blog/strong-password-hashing-apache-shiro">http://www.stormpath.com/blog/strong-password-hashing-apache-shiro</a><br>
</div>
<div><br>
Our plan was to to use SSHA256 to hash the passwords around
200,000 times before storing. This would at least slow down
any cracking attempts should someone get access to our
directory.<br clear="all">
</div>
<div><br>
</div>
<div>I've read through the documentation on the Red Hat
Directory Server site, including the "Plug-in Guide". Under
"5.8 Checking Passwords" it refers to calling function
"slapi_pw_find_sv()" - looking at the doc for this function it
does not look like hashing multiple times is supported.<br>
<br>
</div>
<div>Is there some means of doing this that is not obvious to
me?<br>
</div>
</div>
</blockquote>
<br>
No.<br>
<blockquote
cite="mid:CAG39G0SKenO2P-TcxORS9AqgZb=2Grsy3GZHbzWWLtSc8fb6Tw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
I can certainly do it by re-writing the security plugins for
the various servers (Tomcat, PHP Wordpress, etc) such that
they hash the plaintext password n minus 1 times before
issuing the bind - but was hoping not to do that.<br>
</div>
</div>
</blockquote>
<br>
Use of pre-hashed passwords is strongly discouraged and will break
things like sasl and replication.<br>
<br>
Does this have anything to do with
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/389/ticket/397">https://fedorahosted.org/389/ticket/397</a>?<br>
<br>
<blockquote
cite="mid:CAG39G0SKenO2P-TcxORS9AqgZb=2Grsy3GZHbzWWLtSc8fb6Tw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
</div>
<div><br>
I'm relatively new to 389 directory server, but so far quite
happy to have moved to it from another directory server.<br>
</div>
<div><br>
</div>
<div>Thank you - Richard<br>
</div>
<div><br>
-- <br>
Richard Mixon<br>
Custom Computer Creations, L.L.C.<br>
mobile: (480) 577-6834 office: (480) 614-3442<br>
email: <a class="moz-txt-link-abbreviated" href="mailto:rnmixon@CustCo.biz">rnmixon@CustCo.biz</a> <mailto:<a moz-do-not-send="true"
href="mailto:rnmixon@CustCo.biz">rnmixon@CustCo.biz</a>>
<br>
Microsoft Partner ID: 1263725 <br>
The messages and documents transmitted with this notice
contain confidential information belonging to the sender. If
you are not the intended recipient of this information, you
are hereby notified that any disclosure, copying, distribution
or use of the information is strictly prohibited. If you have
received this transmission in error, please notify the sender
immediately.
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
389 users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
<br>
</body>
</html>