Bug 1425907

Summary: [RFE] Harden default password storage scheme
Product: Red Hat Enterprise Linux 7 Reporter: mreynolds
Component: 389-ds-baseAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: unspecified Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: unspecified    
Version: 7.4CC: mreynolds, nkinder, rkratky, rmeggins, wibrown
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: http://www.port389.org/docs/389ds/design/pbkdf2.html
Whiteboard:
Fixed In Version: 389-ds-base-1.3.6.1-5.el7 Doc Type: Release Note
Doc Text:
Directory Server now uses the *SSHA_512* password storage scheme as default Previously, Directory Server used the weak 160-bit salted secure hash algorithm (SSHA) as default password storage scheme set in the "passwordStorageScheme" and "nsslapd-rootpwstoragescheme" parameters in the "cn=config" entry. To increase security, the default of both parameters has been changed to the strong 512-bit SSHA scheme (SSHA_512). The new default is used: * When performing new Directory Server installations. * When the "passwordStorageScheme" parameter is not set, and you are updating passwords stored in "userPassword" attributes. * When the "nsslapd-rootpwstoragescheme" parameter is not set, and you are updating the Directory Server manager password set in the "nsslapd-rootpw" attribute.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 21:14:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1258613    
Bug Blocks:    

Description mreynolds 2017-02-22 17:49:49 UTC 
This bug is created as a clone of upstream ticket:
https://pagure.io/389-ds-base/issue/49144

#### Issue Description

Need to update the default password storage scheme
Comment 8 Robert Krátký 2017-04-24 09:42:25 UTC 
Fixed some minor mark-up and lang. oversights.
Comment 9 Viktor Ashirov 2017-05-16 14:40:14 UTC 
Build tested:
389-ds-base-1.3.6.1-13.el7.x86_64

Default values on a newly created instance:
$ ldapsearch -xLLL -D "cn=Directory Manager" -w Secret123  -b cn=config  -s base nsslapd-rootpwstoragescheme  passwordStorageScheme
dn: cn=config
nsslapd-rootpwstoragescheme: SSHA512
passwordStorageScheme: SSHA512

DM's password is hashed correctly with SSHA512:

$ ldapsearch -xLLL -D "cn=Directory Manager" -w Secret123  -b cn=config -o ldif-wrap=no -s base nsslapd-rootpw 
dn: cn=config
nsslapd-rootpw: {SSHA512}Y1zlqxavRZb2ZOZFHV6orR7GNtbTqhfb0+itgkSkEGtV/qOgwsOBHzL5foVL5RIIwWzdbeL1EWJ93gLsu0uU/sZHo7fOUuPv

User's password is hashed correctly with SSHA512:

$ ldapsearch -xLLL -D "cn=Directory Manager" -w Secret123  -b dc=example,dc=com -o ldif-wrap=no '(cn=tuser)' userPassword | un64ldif 
dn: cn=tuser,dc=example,dc=com
userPassword: {SSHA512}O+5pFFILBlnLxJfBBHZTYvHtXSAa/kBUDg7+yEwPh76KwX+EOJPRD5z0o9j958GCvwXu5ddhjnvNyunYD8Tv95wQnaF6Qwq+

Automated test also passes:

========================================================== test session starts ==========================================================
platform linux2 -- Python 2.7.5, pytest-3.0.7, py-1.4.33, pluggy-0.4.0
metadata: {'Python': '2.7.5', 'Platform': 'Linux-3.10.0-663.el7.x86_64-x86_64-with-redhat-7.4-Maipo', 'Packages': {'py': '1.4.33', 'pytest': '3.0.7', 'pluggy': '0.4.0'}, 'Plugins': {'beakerlib': '0.7.1', 'html': '1.14.2', 'cov': '2.5.1', 'metadata': '1.5.0'}}
DS build: 1.3.6.1
389-ds-base: 1.3.6.1-13.el7
nss: 3.28.4-6.el7
nspr: 4.13.1-1.0.el7_3
openldap: 2.4.44-4.el7
svrcore: 4.1.3-2.el7

rootdir: /export/tests, inifile:
plugins: metadata-1.5.0, html-1.14.2, cov-2.5.1, beakerlib-0.7.1
collected 1 items 

suites/password/pwd_algo_test.py .

======================================================= 1 passed in 7.31 seconds ========================================================

Marking as VERIFIED.
Comment 10 errata-xmlrpc 2017-08-01 21:14:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2086