Andy Schofield
2007-Mar-29 15:09 UTC
[Fedora-directory-users] How to change password storage method?
I must be missing something here but I tried following the instructions here http://www.csse.uwa.edu.au/~ashley/fedora-ds/fedora-ds-26072006.html but to no avail. I want the passwords for all Users in People to be stored in md5. Everything I have done (like selecting a user and "Managing passwords" leaves them in SSHA which is presumably some default. My real problem is that clients are broadcasting passwords in the clear (despite pam being told to use md5 with ldap). I am assuming that is because the ldap server is using SSHA and pam is using md5 so they negotiate to send passwords in the clear. Does that sound right? Thanks Andy
Andy Schofield
2007-Mar-29 16:28 UTC
Re: [Fedora-directory-users] How to change password storage method?
On Thu, 29 Mar 2007 16:09:00 +0100 Andy Schofield <ajs@th.ph.bham.ac.uk> wrote:> > I want the passwords for all Users in People to be stored in md5. > Everything I have done (like selecting a user and "Managing passwords" > leaves them in SSHA which is presumably some default.Sorry - found it in the manual http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1074672> > My real problem is that clients are broadcasting passwords in the > clear (despite pam being told to use md5 with ldap). I am assuming > that is because the ldap server is using SSHA and pam is using md5 so > they negotiate to send passwords in the clear. Does that sound right?However - it has not solved this problem. The password is still being sent in the clear. I have /etc/ldap.conf including the line: pam_password md5 I was hoping that it ensure only hashed passwords would be sent to the FDS server. Any other ideas how to fix this? Andy> > Thanks > Andy > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
Ville Silventoinen
2007-Mar-29 16:29 UTC
Re: [Fedora-directory-users] How to change password storage method?
On Thu, 29 Mar 2007, Andy Schofield wrote:> I want the passwords for all Users in People to be stored in md5. > Everything I have done (like selecting a user and "Managing passwords" > leaves them in SSHA which is presumably some default.You can change the default password storage scheme by modifying cn=config passwordStorageScheme attribute. It should be in slapd-HOST/config/dse.ldif (look for "dn: cn=config"), if not then you can add the attribute. You can also change it in the Console: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1086306 I don''t think it affects passwords already stored, only new entries. Hope this helps. Ville
Pete Rowley
2007-Mar-29 17:38 UTC
Re: [Fedora-directory-users] How to change password storage method?
Andy Schofield wrote:>> My real problem is that clients are broadcasting passwords in the >> clear (despite pam being told to use md5 with ldap). I am assuming >> that is because the ldap server is using SSHA and pam is using md5 so >> they negotiate to send passwords in the clear. Does that sound right? >> > > However - it has not solved this problem. The password is still being > sent in the clear. I have /etc/ldap.conf including the line: >What you need is not a hashed password sent over the wire (which achieves very little) but an encrypted transport using SSL, or SASL and kerberos. -- Pete
George Holbert
2007-Mar-29 18:13 UTC
Re: [Fedora-directory-users] How to change password storage method?
> > However - it has not solved this problem. The password is still being > sent in the clear. I have /etc/ldap.conf including the line: > > pam_password md5pam_password controls how new passwords are hashed locally before updating an account''s password attribute, i.e. when someone changes their password. If you want the hash setting on the server to always be honored, use "pam_password clear". Comments from PADL''s ldap.conf: # Do not hash the password at all; presume # the directory server will do it, if # necessary. This is the default. #pam_password clear Pete Rowley wrote:> Andy Schofield wrote: >>> My real problem is that clients are broadcasting passwords in the >>> clear (despite pam being told to use md5 with ldap). I am assuming >>> that is because the ldap server is using SSHA and pam is using md5 so >>> they negotiate to send passwords in the clear. Does that sound right? >>> >> >> However - it has not solved this problem. The password is still being >> sent in the clear. I have /etc/ldap.conf including the line: >> > What you need is not a hashed password sent over the wire (which > achieves very little) but an encrypted transport using SSL, or SASL > and kerberos. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Andy Schofield
2007-Mar-29 18:28 UTC
Re: [Fedora-directory-users] How to change password storage method?
On Thu, 29 Mar 2007 10:38:05 -0700 Pete Rowley <prowley@redhat.com> wrote:> > However - it has not solved this problem. The password is still > > being sent in the clear. I have /etc/ldap.conf including the line: > > > What you need is not a hashed password sent over the wire (which > achieves very little) but an encrypted transport using SSL, or SASL > and kerberos.Yes - I agree and I am working on getting SSL going. However, a hashed password is better than nothing surely. Even NIS didn''t sent passwords in the clear. But I see that the /etc/ldap.conf line I have been playing with only affects password updates and probably there is nothing I can do to prevent clear passwords apart from SSL. (Just as George points out) Thanks Andy> > -- > Pete >
Pete Rowley
2007-Mar-29 18:45 UTC
Re: [Fedora-directory-users] How to change password storage method?
Andy Schofield wrote:> However, a hashed password is better than nothing surely. Even NIS > didn''t sent passwords in the clear. >Not from the DS point of view - if it accepts a hashed password in the bind then that is equivalent to the original password, so nothing is really achieved. It /may/ delay the ability of an attacker to log in to a machine using LDAP as the authentication mechanism, but md5 has known vulnerabilities in that regard and cannot be recommended. -- Pete