Bug 2114039
| Summary: | Current pbkdf2 hardcoded parameters are no longer secure | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | mreynolds |
| Component: | 389-ds-base | Assignee: | mreynolds |
| Status: | CLOSED ERRATA | QA Contact: | LDAP QA Team <idm-ds-qe-bugs> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 9.1 | CC: | bsmejkal, idm-ds-dev-bugs, pasik, spichugi |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 9.2 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | sync-to-jira | ||
| Fixed In Version: | 389-ds-base-2.2.4-3.el9 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-09 07:41:32 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
mreynolds
2022-08-02 15:50:38 UTC
The build is tested for both FIPS and non-FIPS mods.
Manually (Password Storage Scheme is used - PBKDF2-SHA512):
# pwdhash SecretPassword389;:
{PBKDF2-SHA512}10000$tg5S0X/NZNHNN8lwEhc4nBxGqgfVSw46$xVb1pYxhuaIGDyfr5+7KEI3pqvMMmKfwrIiC421Vl1bLcAm1PGILyr1Rn77RnZkTbXpxGWEdgK+c+fznmuDlcA==
And with the related CI tests:
===================================================================================== test session starts =====================================================================================
platform linux -- Python 3.9.16, pytest-5.4.3, py-1.11.0, pluggy-0.13.1 -- /usr/bin/python3
cachedir: .pytest_cache
metadata: {'Python': '3.9.16', 'Platform': 'Linux-5.14.0-241.el9.x86_64-x86_64-with-glibc2.34', 'Packages': {'pytest': '5.4.3', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '2.0.4', 'html': '3.2.0', 'libfaketime': '0.1.2', 'flaky': '3.7.0'}}
389-ds-base: 2.2.4-3.el9
nss: 3.79.0-14.el9_0
nspr: 4.34.0-14.el9_0
openldap: 2.6.2-3.el9
cyrus-sasl: 2.1.27-21.el9
FIPS: disabled
rootdir: /mnt/tests/rhds/tests/upstream/ds/dirsrvtests, inifile: pytest.ini
plugins: metadata-2.0.4, html-3.2.0, libfaketime-0.1.2, flaky-3.7.0
collected 49 items
healthcheck/health_security_test.py::test_healthcheck_insecure_pwd_hash_configured PASSED [ 2%]
password/pbkdf2_upgrade_plugin_test.py::test_pbkdf2_upgrade PASSED [ 4%]
password/pwd_algo_test.py::test_pwd_algo_test[CLEAR] PASSED [ 6%]
password/pwd_algo_test.py::test_pwd_algo_test[CRYPT] PASSED [ 8%]
password/pwd_algo_test.py::test_pwd_algo_test[CRYPT-MD5] PASSED [ 10%]
password/pwd_algo_test.py::test_pwd_algo_test[CRYPT-SHA256] PASSED [ 12%]
password/pwd_algo_test.py::test_pwd_algo_test[CRYPT-SHA512] PASSED [ 14%]
password/pwd_algo_test.py::test_pwd_algo_test[MD5] PASSED [ 16%]
password/pwd_algo_test.py::test_pwd_algo_test[SHA] PASSED [ 18%]
password/pwd_algo_test.py::test_pwd_algo_test[SHA256] PASSED [ 20%]
password/pwd_algo_test.py::test_pwd_algo_test[SHA384] PASSED [ 22%]
password/pwd_algo_test.py::test_pwd_algo_test[SHA512] PASSED [ 24%]
password/pwd_algo_test.py::test_pwd_algo_test[SMD5] PASSED [ 26%]
password/pwd_algo_test.py::test_pwd_algo_test[SSHA] PASSED [ 28%]
password/pwd_algo_test.py::test_pwd_algo_test[SSHA256] PASSED [ 30%]
password/pwd_algo_test.py::test_pwd_algo_test[SSHA384] PASSED [ 32%]
password/pwd_algo_test.py::test_pwd_algo_test[SSHA512] PASSED [ 34%]
password/pwd_algo_test.py::test_pwd_algo_test[PBKDF2_SHA256] PASSED [ 36%]
password/pwd_algo_test.py::test_pwd_algo_test[DEFAULT] PASSED [ 38%]
password/pwd_algo_test.py::test_pwd_algo_test[PBKDF2-SHA1] PASSED [ 40%]
password/pwd_algo_test.py::test_pwd_algo_test[PBKDF2-SHA256] PASSED [ 42%]
password/pwd_algo_test.py::test_pwd_algo_test[PBKDF2-SHA512] PASSED [ 44%]
password/pwd_algo_test.py::test_pwd_algo_test[GOST_YESCRYPT] PASSED [ 46%]
password/pwd_algo_test.py::test_pbkdf2_algo PASSED [ 48%]
password/pwd_upgrade_on_bind_test.py::test_password_hash_on_upgrade PASSED [ 51%]
password/pwd_upgrade_on_bind_test.py::test_password_hash_on_upgrade_clearcrypt PASSED [ 53%]
password/pwd_upgrade_on_bind_test.py::test_password_hash_on_upgrade_disable PASSED [ 55%]
password/pwp_test.py::test_passwordchange_to_no PASSED [ 57%]
password/pwp_test.py::test_password_check_syntax PASSED [ 59%]
password/pwp_test.py::test_too_big_password PASSED [ 61%]
password/pwp_test.py::test_pwminage PASSED [ 63%]
password/pwp_test.py::test_invalid_credentials PASSED [ 65%]
password/pwp_test.py::test_expiration_date PASSED [ 67%]
password/pwp_test.py::test_passwordlockout PASSED [ 69%]
pwp_storage/storage_test.py::test_check_password_scheme[CRYPT] PASSED [ 71%]
pwp_storage/storage_test.py::test_check_password_scheme[SHA] PASSED [ 73%]
pwp_storage/storage_test.py::test_check_password_scheme[SSHA] PASSED [ 75%]
pwp_storage/storage_test.py::test_check_password_scheme[SHA256] PASSED [ 77%]
pwp_storage/storage_test.py::test_check_password_scheme[SSHA256] PASSED [ 79%]
pwp_storage/storage_test.py::test_check_password_scheme[SHA384] PASSED [ 81%]
pwp_storage/storage_test.py::test_check_password_scheme[SSHA384] PASSED [ 83%]
pwp_storage/storage_test.py::test_check_password_scheme[SHA512] PASSED [ 85%]
pwp_storage/storage_test.py::test_check_password_scheme[SSHA512] PASSED [ 87%]
pwp_storage/storage_test.py::test_check_password_scheme[MD5] PASSED [ 89%]
pwp_storage/storage_test.py::test_check_password_scheme[PBKDF2_SHA256] PASSED [ 91%]
pwp_storage/storage_test.py::test_clear_scheme PASSED [ 93%]
pwp_storage/storage_test.py::test_check_two_scheme PASSED [ 95%]
pwp_storage/storage_test.py::test_check_pbkdf2_sha256 PASSED [ 97%]
pwp_storage/storage_test.py::test_check_ssha512 PASSED [100%]
========================================================================= 49 passed in 185.04s (0:03:05) =========================================================================
Marking as Verified: Tested.
As per comment #c5, marking as VERIFIED. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (389-ds-base bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2274 |