Bug 204626 (pwsyntaxhashedpwds)
Summary: | Password syntax checking is performed also on hashed values | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Retired] 389 | Reporter: | Michal Vocu <tucnacek> | ||||||
Component: | Security - Password Policy | Assignee: | Nathan Kinder <nkinder> | ||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Chandrasekar Kannan <ckannan> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 1.0.2 | CC: | benl, nkinder, rmeggins, yzhang | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | 8.1 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2009-04-29 22:59:06 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 434915, 493682 | ||||||||
Attachments: |
|
Description
Michal Vocu
2006-08-30 14:48:01 UTC
Seems like the right thing to do is to disallow storing hashed values if syntax checking is on, except for privileged users. Replication should be included among the privileged users, by default. Created attachment 329220 [details]
CVS Diffs
This patch simply checks if a password is pre-hashed in the password syntax checking code. It will reject a pre-hashed password if syntax checking is enabled, with the exception of replicated operations and those initiated by the root DN.
Created attachment 329221 [details]
Revised Diffs
The previous diffs were still checking the password syntax of pre-hashed passwords that we allow. This adds the logic to skip the syntax check if the root DN or replication is providing a pre-hashed password.
Checked into ldapserver (HEAD). Thanks to Rich for his review! Checking in ldap/servers/slapd/pw.c; /cvs/dirsec/ldapserver/ldap/servers/slapd/pw.c,v <-- pw.c new revision: 1.21; previous revision: 1.20 done verified, bug closed Test : 1. install DS and Console 2. set user "cn=directory manager" 's password to "redhat123", the hashed value is: {SSHA}PrcatfRQPNEmJZiquYv9ESZOvKnOvF+xQTFfNg== 3. launch console, login as "cn=directory manager" 4. setup password syntax "at least 5 digit" 5. create a user from console, set password to {SSHA}PrcatfRQPNEmJZiquYv9ESZOvKnOvF+xQTFfNg== 6. save the user ==> result: pass. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-0455.html |