Bug 1425907
Summary: | [RFE] Harden default password storage scheme | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | mreynolds |
Component: | 389-ds-base | Assignee: | Noriko Hosoi <nhosoi> |
Status: | CLOSED ERRATA | QA Contact: | Viktor Ashirov <vashirov> |
Severity: | unspecified | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
Priority: | unspecified | ||
Version: | 7.4 | CC: | mreynolds, nkinder, rkratky, rmeggins, wibrown |
Target Milestone: | rc | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
URL: | http://www.port389.org/docs/389ds/design/pbkdf2.html | ||
Whiteboard: | |||
Fixed In Version: | 389-ds-base-1.3.6.1-5.el7 | Doc Type: | Release Note |
Doc Text: |
Directory Server now uses the *SSHA_512* password storage scheme as default
Previously, Directory Server used the weak 160-bit salted secure hash algorithm (SSHA) as default password storage scheme set in the "passwordStorageScheme" and "nsslapd-rootpwstoragescheme" parameters in the "cn=config" entry. To increase security, the default of both parameters has been changed to the strong 512-bit SSHA scheme (SSHA_512).
The new default is used:
* When performing new Directory Server installations.
* When the "passwordStorageScheme" parameter is not set, and you are updating passwords stored in "userPassword" attributes.
* When the "nsslapd-rootpwstoragescheme" parameter is not set, and you are updating the Directory Server manager password set in the "nsslapd-rootpw" attribute.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-01 21:14:10 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1258613 | ||
Bug Blocks: |
Description
mreynolds
2017-02-22 17:49:49 UTC
Fixed some minor mark-up and lang. oversights. Build tested: 389-ds-base-1.3.6.1-13.el7.x86_64 Default values on a newly created instance: $ ldapsearch -xLLL -D "cn=Directory Manager" -w Secret123 -b cn=config -s base nsslapd-rootpwstoragescheme passwordStorageScheme dn: cn=config nsslapd-rootpwstoragescheme: SSHA512 passwordStorageScheme: SSHA512 DM's password is hashed correctly with SSHA512: $ ldapsearch -xLLL -D "cn=Directory Manager" -w Secret123 -b cn=config -o ldif-wrap=no -s base nsslapd-rootpw dn: cn=config nsslapd-rootpw: {SSHA512}Y1zlqxavRZb2ZOZFHV6orR7GNtbTqhfb0+itgkSkEGtV/qOgwsOBHzL5foVL5RIIwWzdbeL1EWJ93gLsu0uU/sZHo7fOUuPv User's password is hashed correctly with SSHA512: $ ldapsearch -xLLL -D "cn=Directory Manager" -w Secret123 -b dc=example,dc=com -o ldif-wrap=no '(cn=tuser)' userPassword | un64ldif dn: cn=tuser,dc=example,dc=com userPassword: {SSHA512}O+5pFFILBlnLxJfBBHZTYvHtXSAa/kBUDg7+yEwPh76KwX+EOJPRD5z0o9j958GCvwXu5ddhjnvNyunYD8Tv95wQnaF6Qwq+ Automated test also passes: ========================================================== test session starts ========================================================== platform linux2 -- Python 2.7.5, pytest-3.0.7, py-1.4.33, pluggy-0.4.0 metadata: {'Python': '2.7.5', 'Platform': 'Linux-3.10.0-663.el7.x86_64-x86_64-with-redhat-7.4-Maipo', 'Packages': {'py': '1.4.33', 'pytest': '3.0.7', 'pluggy': '0.4.0'}, 'Plugins': {'beakerlib': '0.7.1', 'html': '1.14.2', 'cov': '2.5.1', 'metadata': '1.5.0'}} DS build: 1.3.6.1 389-ds-base: 1.3.6.1-13.el7 nss: 3.28.4-6.el7 nspr: 4.13.1-1.0.el7_3 openldap: 2.4.44-4.el7 svrcore: 4.1.3-2.el7 rootdir: /export/tests, inifile: plugins: metadata-1.5.0, html-1.14.2, cov-2.5.1, beakerlib-0.7.1 collected 1 items suites/password/pwd_algo_test.py . ======================================================= 1 passed in 7.31 seconds ======================================================== Marking as VERIFIED. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2086 |