[Freeipa-devel] Capturing passwords for migration at bind-time?

[Simo Sorce]

On Thu, 2008-06-26 at 11:15 -0400, Dmitri Pal wrote:
> > Currently we hook into the password change extended operation and
> > provide a kpasswd service to ensure that Kerberos keys (and other hashes
> > which are based on the user's password) are generated whenever a user
> > changes her password.
> >
> > Would it be useful to also intercept the password used when a simple or
> > SASL/PLAIN bind requests succeed, and take the opportunity to generate
> > the hashes so that we can avoid forcing password changes?
> >
> >   
> Simple bind will reveal the password in clear. I do not think we want to 
> do this for the same reasons we do not want to store  them on the client 
> machine.

I don't see why we should store them.

>  It will force us to use SSL. It is currently turned off for performance 
> reasons.

SSL is configured in DS, we use it for replication, we do not use it in
the default nss_ldap configuration, but nothing prevents us to use SSL
for an eventual special bind done explicitly as a way to perform a
password-change-on-good-auth operation.
We would need a special pam module to do that though.

> SASL will not give us the password in clear on the server side so we 
> won't be able to generate the hashes.

A plain text bind gives us (and I mean DS) the password in the clear, so
all we need is a bind plugin that intercepts it, checks that the account
is in "upgrade" mode, perform a password change operation to generate
all the hashes, and put the user account in "upgraded" mode (eventually
turning off plain text auth at the same time).

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York