[Freeipa-devel] Capturing passwords for migration at bind-time?
Simo Sorce
ssorce at redhat.com
Thu Jun 26 15:56:15 UTC 2008
On Thu, 2008-06-26 at 11:15 -0400, Dmitri Pal wrote:
> > Currently we hook into the password change extended operation and
> > provide a kpasswd service to ensure that Kerberos keys (and other hashes
> > which are based on the user's password) are generated whenever a user
> > changes her password.
> >
> > Would it be useful to also intercept the password used when a simple or
> > SASL/PLAIN bind requests succeed, and take the opportunity to generate
> > the hashes so that we can avoid forcing password changes?
> >
> >
> Simple bind will reveal the password in clear. I do not think we want to
> do this for the same reasons we do not want to store them on the client
> machine.
I don't see why we should store them.
> It will force us to use SSL. It is currently turned off for performance
> reasons.
SSL is configured in DS, we use it for replication, we do not use it in
the default nss_ldap configuration, but nothing prevents us to use SSL
for an eventual special bind done explicitly as a way to perform a
password-change-on-good-auth operation.
We would need a special pam module to do that though.
> SASL will not give us the password in clear on the server side so we
> won't be able to generate the hashes.
A plain text bind gives us (and I mean DS) the password in the clear, so
all we need is a bind plugin that intercepts it, checks that the account
is in "upgrade" mode, perform a password change operation to generate
all the hashes, and put the user account in "upgraded" mode (eventually
turning off plain text auth at the same time).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list