[Freeipa-users] Password Attribute Syncing Support
Rob Crittenden
rcritten at redhat.com
Fri Mar 19 20:43:42 UTC 2010
Walter Meyer wrote:
> I will see if Salted SHA1 is supported and maybe Google hasn't
> documented it yet. If not, the sync is done with the Google Servers over
> SSL. And if only the Directory Manager can read the userPassword
> attribute, would storing the userPassword attribute in SHA1 be that
> insecure? What scenario could the passwords be compromised if I went
> with this setup? Unless the Directory Manager account was compromised
> wouldn't this be secure if all of the data was being transmitted over SSL?
>
> Also all logins to Google Apps are encrypted with SSL.
Ok, the SSL usage makes me feel better. Using a weaker password
encryption scheme isn't ideal but if you are protecting transmission of
it you are probably ok. The risk is that if somehow the hash did get
exposed it is relatively easier to crack it than a salted hash. Risk is
something you'll need to weigh specific to your environment, this may be
acceptable. It doesn't make my alarm bells go off but I'm a pretty laid
back guy :-)
In fact, this would be very cool if it worked. You might want to file an
RFE with the nice folks at Google to see if they'll support salted
hashes if they don't now and potentially move to a more secure
environment later.
As Simo pointed out you'll want to modify the default password
encryption scheme before adding your users so you don't have to force
round after round of password changes on them.
If you decide to try it out let us know how it works.
cheers
rob
More information about the Freeipa-users
mailing list