[Freeipa-devel] Consistent password hashing and lookups
Alexander Bokovoy
abokovoy at redhat.com
Mon May 12 07:43:21 UTC 2014
On Mon, 12 May 2014, Martin Kosek wrote:
>On 05/12/2014 03:47 AM, James wrote:
>> On Sun, May 11, 2014 at 9:02 PM, Dmitri Pal <dpal at redhat.com> wrote:
>>> On 05/11/2014 06:31 PM, James wrote:
>>>>
>>>> On Sun, May 11, 2014 at 3:04 PM, Dmitri Pal <dpal at redhat.com> wrote:
>>>>>
>>>>> This is scary.
>>>>> This means that you expecting to have a hash being stored somewhere else
>>>>> outside the DS.
>>>>
>>>> Haha, I agree! Actually, worse! I will have the plain text password
>>>> stored somewhere outside the DS! Let me give you more background:
>>>>
>>>> I think this is an atrociously bad idea. However *everybody* stores
>>>> password credentials poorly in puppet. So in order to do it properly,
>>>> I've gone to great lengths to support something smarter for
>>>> puppet-ipa. Most of the code is already done.
>>>>
>>>
>>> Which module do you want me to look at?
>>> I am not going to review your whole project :-)
>> I just posted it for fun. I wasn't looking for a review, though!
>> The technique is rather complicated, so I'm going to save it for a
>> longer blog post write up when it's finished.
>>
>>>
>>>
>>>> https://github.com/purpleidea/puppet-ipa/tree/feat/better-pw
>>>>
>>>> You'll be very pleased to know it doesn't do anything bad! BUT: I am
>>>> still going to support the "bad method" of storing the actual password
>>>> in puppet. Sad, but still used. So I do need to know how to do this
>>>> bad thing, but if you look at my code, you'll see I'm doing something
>>>> clever. Once it's all done and tested, I'll blog about it and announce
>>>> the technique publicly.
>>>>
>>>>> Can you describe the workflow?
>>>>> You want to be able to reset the admin password, right?
>>>>> How do you bind? Using same admin password? Or keytab?
>>>>
>>>> I don't bind. I'm running as root on the free-ipa server.
>>>
>>> But to do an LDAP operation you still need to connect to LDAP. You can use
>>> LDAPI in this case but then you do not need to authentocate at all, I think
>>> in this case you should be able to overwrite the password without knowing
>>> the old one.
>>>
>>> I do not think we should promote bad and insecure practices around the
>>> security product. That defeats the purpose. I strongle suggest avoiding
>>> saving any password and resetting the existing password using local root. I
>>> think it is possible. If not we need to think about the proper way of
>>> solving your use case.
>> Agreed. Which is why I posted the feature branch early, to hopefully
>> convince the ipa community that I'm going about the password stuff the
>> "right way".
>>
>> Anyways, back to the question:
>> What commands can I use to look up the hash, and compute the hash? (Or
>> simply test if a string password matches the stored password.)
>>
>> Same questions for the DM password.
>>
>> Thanks!
>
>I sense some very black magic happening in this thread...
>
>I do not see any reason for storing the password or hash of the password
>outside of FreeIPA. As you said, you have a local root access to IPA machine,
>you can then bind as Directory Manager and see or change any password.
>
>
>1) Get fbar1;s b64 encoded password hash:
>
># ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket -b
>'uid=fbar1,cn=users,cn=accounts,dc=example,dc=com' userPassword
>
>2) Forcefully change fbar1's password:
>
># ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket
>'uid=fbar1,cn=users,cn=accounts,dc=example,dc=com' -s newpassword
s/ldapsearch/ldappasswd/
>Note that the user fbar1 will not be prompted for the new password as the
>password was changed by DM. As Dmitri wrote, a safer and a better approach
>would be to have the script run as a special/system user with appropriate
>privilege, authenticated with a keytab. Such user could then just call "ipa
>passwd" FreeIPA command.
I think the point here is that puppet-ipa module is run by puppet under
root account already, so ldappasswd using ldapi with external auth under root
is enough. Introducing another user when you are already root seems to
be a bit overbloat in puppet's case.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list