Bug 1247474 - hash encodings not working
hash encodings not working
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: ldapvi (Show other bugs)
22
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Matěj Cepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-07-28 01:58 EDT by IanB
Modified: 2018-04-11 07:26 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-07-19 13:13:36 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description IanB 2015-07-28 01:58:20 EDT
Description of problem:

Adding or modifying an attribute which has a hash encoded value (e.g. userPassword) results in the supplied value not being hashed properly. Instead, the result is the hash of the string '{SSHA}' (or whichever encoding was specified)

How reproducible: always


Steps to Reproduce:
1. edit existing posixAccount entry, update 'userPassword' field with:
userPassword:ssha foo
2. apply modification. Value is hashed
3. attempt to authenticate the user using password 'foo'. It will fail
4. attempt to authenticate the user using password '{SSHA}'. It will succeed!


Additional info:

This issue was reported on the ldapvi mailing list back in 2007! http://lists.askja.de/pipermail/ldapvi/2007-October/000041.html

This issue should be fixed, or the 'ldapvi' package removed from Fedora repos due to the potential security issue it poses.
Comment 1 Matěj Cepl 2015-07-28 05:04:38 EDT
(In reply to IanB from comment #0)
> This issue was reported on the ldapvi mailing list back in 2007!
> http://lists.askja.de/pipermail/ldapvi/2007-October/000041.html

Do you think you have a solution for this bug? If you make a non-lazy more thought-through patch, I would take a look and talk with the upstream about the inclusion.

> This issue should be fixed, or the 'ldapvi' package removed from Fedora
> repos due to the potential security issue it poses.

I don't think this is a security issue. ldapvi is meant for people who know what they are doing and editing hashed passwords in $EDITOR doesn’t look like an activity of such person.
Comment 2 Fedora End Of Life 2016-07-19 13:13:36 EDT
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.