Bug 2114039
Summary: | Current pbkdf2 hardcoded parameters are no longer secure | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 9 | Reporter: | mreynolds |
Component: | 389-ds-base | Assignee: | mreynolds |
Status: | CLOSED ERRATA | QA Contact: | LDAP QA Team <idm-ds-qe-bugs> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 9.1 | CC: | bsmejkal, idm-ds-dev-bugs, pasik, spichugi |
Target Milestone: | rc | Keywords: | Triaged |
Target Release: | 9.2 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | sync-to-jira | ||
Fixed In Version: | 389-ds-base-2.2.4-3.el9 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2023-05-09 07:41:32 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
mreynolds
2022-08-02 15:50:38 UTC
The build is tested for both FIPS and non-FIPS mods. Manually (Password Storage Scheme is used - PBKDF2-SHA512): # pwdhash SecretPassword389;: {PBKDF2-SHA512}10000$tg5S0X/NZNHNN8lwEhc4nBxGqgfVSw46$xVb1pYxhuaIGDyfr5+7KEI3pqvMMmKfwrIiC421Vl1bLcAm1PGILyr1Rn77RnZkTbXpxGWEdgK+c+fznmuDlcA== And with the related CI tests: ===================================================================================== test session starts ===================================================================================== platform linux -- Python 3.9.16, pytest-5.4.3, py-1.11.0, pluggy-0.13.1 -- /usr/bin/python3 cachedir: .pytest_cache metadata: {'Python': '3.9.16', 'Platform': 'Linux-5.14.0-241.el9.x86_64-x86_64-with-glibc2.34', 'Packages': {'pytest': '5.4.3', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '2.0.4', 'html': '3.2.0', 'libfaketime': '0.1.2', 'flaky': '3.7.0'}} 389-ds-base: 2.2.4-3.el9 nss: 3.79.0-14.el9_0 nspr: 4.34.0-14.el9_0 openldap: 2.6.2-3.el9 cyrus-sasl: 2.1.27-21.el9 FIPS: disabled rootdir: /mnt/tests/rhds/tests/upstream/ds/dirsrvtests, inifile: pytest.ini plugins: metadata-2.0.4, html-3.2.0, libfaketime-0.1.2, flaky-3.7.0 collected 49 items healthcheck/health_security_test.py::test_healthcheck_insecure_pwd_hash_configured PASSED [ 2%] password/pbkdf2_upgrade_plugin_test.py::test_pbkdf2_upgrade PASSED [ 4%] password/pwd_algo_test.py::test_pwd_algo_test[CLEAR] PASSED [ 6%] password/pwd_algo_test.py::test_pwd_algo_test[CRYPT] PASSED [ 8%] password/pwd_algo_test.py::test_pwd_algo_test[CRYPT-MD5] PASSED [ 10%] password/pwd_algo_test.py::test_pwd_algo_test[CRYPT-SHA256] PASSED [ 12%] password/pwd_algo_test.py::test_pwd_algo_test[CRYPT-SHA512] PASSED [ 14%] password/pwd_algo_test.py::test_pwd_algo_test[MD5] PASSED [ 16%] password/pwd_algo_test.py::test_pwd_algo_test[SHA] PASSED [ 18%] password/pwd_algo_test.py::test_pwd_algo_test[SHA256] PASSED [ 20%] password/pwd_algo_test.py::test_pwd_algo_test[SHA384] PASSED [ 22%] password/pwd_algo_test.py::test_pwd_algo_test[SHA512] PASSED [ 24%] password/pwd_algo_test.py::test_pwd_algo_test[SMD5] PASSED [ 26%] password/pwd_algo_test.py::test_pwd_algo_test[SSHA] PASSED [ 28%] password/pwd_algo_test.py::test_pwd_algo_test[SSHA256] PASSED [ 30%] password/pwd_algo_test.py::test_pwd_algo_test[SSHA384] PASSED [ 32%] password/pwd_algo_test.py::test_pwd_algo_test[SSHA512] PASSED [ 34%] password/pwd_algo_test.py::test_pwd_algo_test[PBKDF2_SHA256] PASSED [ 36%] password/pwd_algo_test.py::test_pwd_algo_test[DEFAULT] PASSED [ 38%] password/pwd_algo_test.py::test_pwd_algo_test[PBKDF2-SHA1] PASSED [ 40%] password/pwd_algo_test.py::test_pwd_algo_test[PBKDF2-SHA256] PASSED [ 42%] password/pwd_algo_test.py::test_pwd_algo_test[PBKDF2-SHA512] PASSED [ 44%] password/pwd_algo_test.py::test_pwd_algo_test[GOST_YESCRYPT] PASSED [ 46%] password/pwd_algo_test.py::test_pbkdf2_algo PASSED [ 48%] password/pwd_upgrade_on_bind_test.py::test_password_hash_on_upgrade PASSED [ 51%] password/pwd_upgrade_on_bind_test.py::test_password_hash_on_upgrade_clearcrypt PASSED [ 53%] password/pwd_upgrade_on_bind_test.py::test_password_hash_on_upgrade_disable PASSED [ 55%] password/pwp_test.py::test_passwordchange_to_no PASSED [ 57%] password/pwp_test.py::test_password_check_syntax PASSED [ 59%] password/pwp_test.py::test_too_big_password PASSED [ 61%] password/pwp_test.py::test_pwminage PASSED [ 63%] password/pwp_test.py::test_invalid_credentials PASSED [ 65%] password/pwp_test.py::test_expiration_date PASSED [ 67%] password/pwp_test.py::test_passwordlockout PASSED [ 69%] pwp_storage/storage_test.py::test_check_password_scheme[CRYPT] PASSED [ 71%] pwp_storage/storage_test.py::test_check_password_scheme[SHA] PASSED [ 73%] pwp_storage/storage_test.py::test_check_password_scheme[SSHA] PASSED [ 75%] pwp_storage/storage_test.py::test_check_password_scheme[SHA256] PASSED [ 77%] pwp_storage/storage_test.py::test_check_password_scheme[SSHA256] PASSED [ 79%] pwp_storage/storage_test.py::test_check_password_scheme[SHA384] PASSED [ 81%] pwp_storage/storage_test.py::test_check_password_scheme[SSHA384] PASSED [ 83%] pwp_storage/storage_test.py::test_check_password_scheme[SHA512] PASSED [ 85%] pwp_storage/storage_test.py::test_check_password_scheme[SSHA512] PASSED [ 87%] pwp_storage/storage_test.py::test_check_password_scheme[MD5] PASSED [ 89%] pwp_storage/storage_test.py::test_check_password_scheme[PBKDF2_SHA256] PASSED [ 91%] pwp_storage/storage_test.py::test_clear_scheme PASSED [ 93%] pwp_storage/storage_test.py::test_check_two_scheme PASSED [ 95%] pwp_storage/storage_test.py::test_check_pbkdf2_sha256 PASSED [ 97%] pwp_storage/storage_test.py::test_check_ssha512 PASSED [100%] ========================================================================= 49 passed in 185.04s (0:03:05) ========================================================================= Marking as Verified: Tested. As per comment #c5, marking as VERIFIED. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (389-ds-base bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2274 |