[Freeipa-devel] Consistent password hashing and lookups

[Dmitri Pal]

On 05/12/2014 10:37 PM, James wrote:
> On Mon, May 12, 2014 at 6:22 PM, Dmitri Pal <dpal at redhat.com> wrote:
>> On 05/12/2014 06:07 PM, James wrote:
>>> On Mon, 2014-05-12 at 17:56 -0400, Dmitri Pal wrote:
>>>> Is there any other attribute to look at?
>>>> For example the timestamp when it was last set and base the update on
>>>> that rather than on matching password values?
>>>>
>>> There are some other solutions, but they are less elegant or don't work
>>> consistently. (Eg: bad hacks)
>>>
>>>
>> I would argue that comparing hashes is the worst hack ever.
>> Can you create a file once you set a password to indicate that password is
>> set?
> Not possible...
>
>> Bottom line - I do not like the approach you are trying to implement and I
>> do not want you to find a way to solve this problem by comparing hashes. It
>> is not a good security hygiene. I would rather suggest patches to puppet to
>> address the issue properly than aid you on this path.
> I think you are missing the point... It is a bit subtle. Puppet is
> weird :) Here's what I'll do. I'll finish my other password related
> work, and then I'll post back with my complete feature branch minus
> the missing commands that I'm hoping to learn from the ML.
>
> I think you'll realize what I'm doing makes a lot of sense. I think
> you'll also soon agree that I have the only puppet module out there
> that is managing passwords responsibly. The status quo is that people
> are storing cleartext passwords _in puppet!

This is their problem. Why would we aid them to do wrong things and make 
it easier?
I really miss the point. Why it is all needed?
Why do you need to reset passwords in IPA through puppet?
What is the use case?


>   tsk tsk. In any case,
> since when did a project stop it's users from shooting themselves in
> the foot if they thought that was right?
>
> Cheers,
> James
>
>
>
>> Sorry ;-)


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.