[389-users] How to specify number of hashing iterations for a password

Rich Megginson rmeggins at redhat.com
Wed Jan 15 18:25:20 UTC 2014 

On 01/15/2014 10:38 AM, Richard Mixon wrote:
> During the bind process is there anyway to tell 389 directory server 
> to hash a plaintext password n (multiple) times before trying to 
> compare to what is stored?
>
> I am trying to implement something similar to what's described in this 
> article:
> http://www.stormpath.com/blog/strong-password-hashing-apache-shiro
>
> Our plan was to to use SSHA256 to hash the passwords around 200,000 
> times before storing. This would at least slow down any cracking 
> attempts should someone get access to our directory.
>
> I've read through the documentation on the Red Hat Directory Server 
> site, including the "Plug-in Guide". Under "5.8 Checking Passwords" it 
> refers to calling function "slapi_pw_find_sv()" - looking at the doc 
> for this function it does not look like hashing multiple times is 
> supported.
>
> Is there  some means of doing this that is not obvious to me?

No.
>
> I can certainly do it by re-writing the security plugins for the 
> various servers (Tomcat, PHP Wordpress, etc) such that they hash the 
> plaintext password n minus 1 times before issuing the bind - but was 
> hoping not to do that.

Use of pre-hashed passwords is strongly discouraged and will break 
things like sasl and replication.

Does this have anything to do with https://fedorahosted.org/389/ticket/397?

>
> I'm relatively new to 389 directory server, but so far quite happy to 
> have moved to it from another directory server.
>
> Thank you - Richard
>
> -- 
> Richard Mixon
> Custom Computer Creations, L.L.C.
> mobile: (480) 577-6834 office: (480) 614-3442
> email: rnmixon at CustCo.biz <mailto:rnmixon at CustCo.biz 
> <mailto:rnmixon at CustCo.biz>>
> Microsoft Partner ID: 1263725
> The messages and documents transmitted with this notice contain 
> confidential information belonging to the sender. If you are not the 
> intended recipient of this information, you are hereby notified that 
> any disclosure, copying, distribution or use of the information is 
> strictly prohibited. If you have received this transmission in error, 
> please notify the sender immediately.
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20140115/474ef0af/attachment.html>

More information about the 389-users mailing list