Bug 1425907 - [RFE] Harden default password storage scheme
Summary: [RFE] Harden default password storage scheme
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Noriko Hosoi
QA Contact: Viktor Ashirov
Marc Muehlfeld
URL: http://www.port389.org/docs/389ds/des...
Whiteboard:
Depends On: 1258613
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-22 17:49 UTC by mreynolds
Modified: 2017-08-01 21:14 UTC (History)
5 users (show)

Fixed In Version: 389-ds-base-1.3.6.1-5.el7
Doc Type: Release Note
Doc Text:
Directory Server now uses the *SSHA_512* password storage scheme as default Previously, Directory Server used the weak 160-bit salted secure hash algorithm (SSHA) as default password storage scheme set in the "passwordStorageScheme" and "nsslapd-rootpwstoragescheme" parameters in the "cn=config" entry. To increase security, the default of both parameters has been changed to the strong 512-bit SSHA scheme (SSHA_512). The new default is used: * When performing new Directory Server installations. * When the "passwordStorageScheme" parameter is not set, and you are updating passwords stored in "userPassword" attributes. * When the "nsslapd-rootpwstoragescheme" parameter is not set, and you are updating the Directory Server manager password set in the "nsslapd-rootpw" attribute.
Clone Of:
Environment:
Last Closed: 2017-08-01 21:14:10 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2086 normal SHIPPED_LIVE 389-ds-base bug fix and enhancement update 2017-08-01 18:37:38 UTC

Description mreynolds 2017-02-22 17:49:49 UTC
This bug is created as a clone of upstream ticket:
https://pagure.io/389-ds-base/issue/49144

#### Issue Description

Need to update the default password storage scheme

Comment 8 Robert Krátký 2017-04-24 09:42:25 UTC
Fixed some minor mark-up and lang. oversights.

Comment 9 Viktor Ashirov 2017-05-16 14:40:14 UTC
Build tested:
389-ds-base-1.3.6.1-13.el7.x86_64

Default values on a newly created instance:
$ ldapsearch -xLLL -D "cn=Directory Manager" -w Secret123  -b cn=config  -s base nsslapd-rootpwstoragescheme  passwordStorageScheme
dn: cn=config
nsslapd-rootpwstoragescheme: SSHA512
passwordStorageScheme: SSHA512

DM's password is hashed correctly with SSHA512:

$ ldapsearch -xLLL -D "cn=Directory Manager" -w Secret123  -b cn=config -o ldif-wrap=no -s base nsslapd-rootpw 
dn: cn=config
nsslapd-rootpw: {SSHA512}Y1zlqxavRZb2ZOZFHV6orR7GNtbTqhfb0+itgkSkEGtV/qOgwsOBHzL5foVL5RIIwWzdbeL1EWJ93gLsu0uU/sZHo7fOUuPv

User's password is hashed correctly with SSHA512:

$ ldapsearch -xLLL -D "cn=Directory Manager" -w Secret123  -b dc=example,dc=com -o ldif-wrap=no '(cn=tuser)' userPassword | un64ldif 
dn: cn=tuser,dc=example,dc=com
userPassword: {SSHA512}O+5pFFILBlnLxJfBBHZTYvHtXSAa/kBUDg7+yEwPh76KwX+EOJPRD5z0o9j958GCvwXu5ddhjnvNyunYD8Tv95wQnaF6Qwq+

Automated test also passes:

========================================================== test session starts ==========================================================
platform linux2 -- Python 2.7.5, pytest-3.0.7, py-1.4.33, pluggy-0.4.0
metadata: {'Python': '2.7.5', 'Platform': 'Linux-3.10.0-663.el7.x86_64-x86_64-with-redhat-7.4-Maipo', 'Packages': {'py': '1.4.33', 'pytest': '3.0.7', 'pluggy': '0.4.0'}, 'Plugins': {'beakerlib': '0.7.1', 'html': '1.14.2', 'cov': '2.5.1', 'metadata': '1.5.0'}}
DS build: 1.3.6.1
389-ds-base: 1.3.6.1-13.el7
nss: 3.28.4-6.el7
nspr: 4.13.1-1.0.el7_3
openldap: 2.4.44-4.el7
svrcore: 4.1.3-2.el7

rootdir: /export/tests, inifile:
plugins: metadata-1.5.0, html-1.14.2, cov-2.5.1, beakerlib-0.7.1
collected 1 items 

suites/password/pwd_algo_test.py .

======================================================= 1 passed in 7.31 seconds ========================================================

Marking as VERIFIED.

Comment 10 errata-xmlrpc 2017-08-01 21:14:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2086


Note You need to log in before you can comment on or make changes to this bug.