Bug 1570782
Summary: | CRYPT, CRYPT-MD5 and PBKDF2_SHA256 are not accepted as password storage schemes in FIPS mode | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Viktor Ashirov <vashirov> |
Component: | 389-ds-base | Assignee: | mreynolds |
Status: | CLOSED NOTABUG | QA Contact: | Viktor Ashirov <vashirov> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.5 | CC: | nkinder, rmeggins |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-04-23 13:36:33 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Viktor Ashirov
2018-04-23 12:08:12 UTC
I know FIPS does NOT support PBKDF2, and it looks like its not supporting CRYPT either. So perhaps this a doc bug? CRYPT-SHA256 and CRYPT-SHA512 are accepted though. If that's not a bug, then we'll update the tests to check if we're running in FIPS mode. (In reply to Viktor Ashirov from comment #2) > CRYPT-SHA256 and CRYPT-SHA512 are accepted though. If that's not a bug, then > we'll update the tests to check if we're running in FIPS mode. I know FIPS does not accept weak hashing algos. So maybe that's why CRYPT-SHA256 and CRYPT-SHA512 work, but the other CRYPTs are not. PBKDF2 I think it just too new and FIPS has not caught up with it yet (I know its officially not supported). I'll ask the security guys to confirm the CRYPT issues though. Okay so looking at the FIPS docs https://csrc.nist.gov/csrc/media/publications/fips/140/2/final/documents/fips1402annexa.pdf I think this explains the behavior. We support SHA256 & SHA512 - and that's why FIPS supports CRYPT-"SHA256", etc, but not CRYPT-"MD5". Makes sense, thanks Mark! Closing as NOTABUG. |