Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1425907 - [RFE] Harden default password storage scheme
[RFE] Harden default password storage scheme
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base (Show other bugs)
7.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Noriko Hosoi
Viktor Ashirov
Marc Muehlfeld
http://www.port389.org/docs/389ds/des...
: FutureFeature
Depends On: 1258613
Blocks:
  Show dependency treegraph
 
Reported: 2017-02-22 12:49 EST by mreynolds
Modified: 2017-08-01 17:14 EDT (History)
5 users (show)

See Also:
Fixed In Version: 389-ds-base-1.3.6.1-5.el7
Doc Type: Release Note
Doc Text:
Directory Server now uses the *SSHA_512* password storage scheme as default Previously, Directory Server used the weak 160-bit salted secure hash algorithm (SSHA) as default password storage scheme set in the "passwordStorageScheme" and "nsslapd-rootpwstoragescheme" parameters in the "cn=config" entry. To increase security, the default of both parameters has been changed to the strong 512-bit SSHA scheme (SSHA_512). The new default is used: * When performing new Directory Server installations. * When the "passwordStorageScheme" parameter is not set, and you are updating passwords stored in "userPassword" attributes. * When the "nsslapd-rootpwstoragescheme" parameter is not set, and you are updating the Directory Server manager password set in the "nsslapd-rootpw" attribute.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-01 17:14:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2086 normal SHIPPED_LIVE 389-ds-base bug fix and enhancement update 2017-08-01 14:37:38 EDT

  None (edit)
Description mreynolds 2017-02-22 12:49:49 EST 
This bug is created as a clone of upstream ticket:
https://pagure.io/389-ds-base/issue/49144

#### Issue Description

Need to update the default password storage scheme
Comment 8 Robert Krátký 2017-04-24 05:42:25 EDT 
Fixed some minor mark-up and lang. oversights.
Comment 9 Viktor Ashirov 2017-05-16 10:40:14 EDT 
Build tested:
389-ds-base-1.3.6.1-13.el7.x86_64

Default values on a newly created instance:
$ ldapsearch -xLLL -D "cn=Directory Manager" -w Secret123  -b cn=config  -s base nsslapd-rootpwstoragescheme  passwordStorageScheme
dn: cn=config
nsslapd-rootpwstoragescheme: SSHA512
passwordStorageScheme: SSHA512

DM's password is hashed correctly with SSHA512:

$ ldapsearch -xLLL -D "cn=Directory Manager" -w Secret123  -b cn=config -o ldif-wrap=no -s base nsslapd-rootpw 
dn: cn=config
nsslapd-rootpw: {SSHA512}Y1zlqxavRZb2ZOZFHV6orR7GNtbTqhfb0+itgkSkEGtV/qOgwsOBHzL5foVL5RIIwWzdbeL1EWJ93gLsu0uU/sZHo7fOUuPv

User's password is hashed correctly with SSHA512:

$ ldapsearch -xLLL -D "cn=Directory Manager" -w Secret123  -b dc=example,dc=com -o ldif-wrap=no '(cn=tuser)' userPassword | un64ldif 
dn: cn=tuser,dc=example,dc=com
userPassword: {SSHA512}O+5pFFILBlnLxJfBBHZTYvHtXSAa/kBUDg7+yEwPh76KwX+EOJPRD5z0o9j958GCvwXu5ddhjnvNyunYD8Tv95wQnaF6Qwq+

Automated test also passes:

========================================================== test session starts ==========================================================
platform linux2 -- Python 2.7.5, pytest-3.0.7, py-1.4.33, pluggy-0.4.0
metadata: {'Python': '2.7.5', 'Platform': 'Linux-3.10.0-663.el7.x86_64-x86_64-with-redhat-7.4-Maipo', 'Packages': {'py': '1.4.33', 'pytest': '3.0.7', 'pluggy': '0.4.0'}, 'Plugins': {'beakerlib': '0.7.1', 'html': '1.14.2', 'cov': '2.5.1', 'metadata': '1.5.0'}}
DS build: 1.3.6.1
389-ds-base: 1.3.6.1-13.el7
nss: 3.28.4-6.el7
nspr: 4.13.1-1.0.el7_3
openldap: 2.4.44-4.el7
svrcore: 4.1.3-2.el7

rootdir: /export/tests, inifile:
plugins: metadata-1.5.0, html-1.14.2, cov-2.5.1, beakerlib-0.7.1
collected 1 items 

suites/password/pwd_algo_test.py .

======================================================= 1 passed in 7.31 seconds ========================================================

Marking as VERIFIED.
Comment 10 errata-xmlrpc 2017-08-01 17:14:10 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2086
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.