On 15.1.2014 20:10, Rich Megginson wrote:
On 01/15/2014 11:51 AM, Richard Mixon wrote:
> Nathan/Rich,
>
> Thank you both for the responses.
>
> We are using the 389 Directory Server for a pretty isolated situation -
> authentication/authorization for external users on an "extranet" type
portal
> website (it integrates pieces of several different web applications).
>
> We don't really envision (famous last words, I know) using it on a broader
> basis.
>
> Rich, I can understand why the pre-hashed passwords cause a lot of
> integration points to break. Is there a good alternative that still makes
> cracking your passwords prohibitively expensive?
Well, actually, yes - don't use passwords - use client certificate based
authentication . . .
SASL/GSSAPI is the most flexible option. Teach your applications SASL and you
can use any of
http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer#SAS...
Naturally, some of them have the same problem with plaintext passwords but
others do not (like GSSAPI - e.g. Kerberos).
Petr^2 Spacek
> Nathan, I have a background in C, but do mostly Java these days.
I will take
> a look at ticket 397 and get back to you if it's something I could work on.
> Can you provide me the pointers you were referring to?
>
> Thank you - Richard
>
>
>
> On Wed, Jan 15, 2014 at 11:25 AM, Rich Megginson <rmeggins(a)redhat.com
> <mailto:rmeggins@redhat.com>> wrote:
>
> On 01/15/2014 10:38 AM, Richard Mixon wrote:
>> During the bind process is there anyway to tell 389 directory
>> server to hash a plaintext password n (multiple) times before
>> trying to compare to what is stored?
>>
>> I am trying to implement something similar to what's described in
>> this article:
>>
http://www.stormpath.com/blog/strong-password-hashing-apache-shiro
>>
>> Our plan was to to use SSHA256 to hash the passwords around
>> 200,000 times before storing. This would at least slow down any
>> cracking attempts should someone get access to our directory.
>>
>> I've read through the documentation on the Red Hat Directory
>> Server site, including the "Plug-in Guide". Under "5.8
Checking
>> Passwords" it refers to calling function "slapi_pw_find_sv()"
-
>> looking at the doc for this function it does not look like
>> hashing multiple times is supported.
>>
>> Is there some means of doing this that is not obvious to me?
>
> No.
>
>>
>> I can certainly do it by re-writing the security plugins for the
>> various servers (Tomcat, PHP Wordpress, etc) such that they hash
>> the plaintext password n minus 1 times before issuing the bind -
>> but was hoping not to do that.
>
> Use of pre-hashed passwords is strongly discouraged and will break
> things like sasl and replication.
>
> Does this have anything to do with
>
https://fedorahosted.org/389/ticket/397?
>
>>
>> I'm relatively new to 389 directory server, but so far quite
>> happy to have moved to it from another directory server.
>>
>> Thank you - Richard
>>
>> -- Richard Mixon
--
Petr^2 Spacek