Fedora directory users - Mar 2007 - How to change password storage method?

I must be missing something here but I tried following the instructions
here
http://www.csse.uwa.edu.au/~ashley/fedora-ds/fedora-ds-26072006.html
but to no avail. 

I want the passwords for all Users in People to be stored in md5.
Everything I have done (like selecting a user and "Managing passwords"
leaves them in SSHA which is presumably some default.

My real problem is that clients are broadcasting passwords in the clear
(despite pam being told to use md5 with ldap). I am assuming that is
because the ldap server is using SSHA and pam is using md5 so they
negotiate to send passwords in the clear. Does that sound right?

Thanks 
Andy

On Thu, 29 Mar 2007 16:09:00 +0100
Andy Schofield <ajs@th.ph.bham.ac.uk> wrote:
 
> 
> I want the passwords for all Users in People to be stored in md5.
> Everything I have done (like selecting a user and "Managing
passwords"
> leaves them in SSHA which is presumably some default.
Sorry - found it in the manual

http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1074672
> 
> My real problem is that clients are broadcasting passwords in the
> clear (despite pam being told to use md5 with ldap). I am assuming
> that is because the ldap server is using SSHA and pam is using md5 so
> they negotiate to send passwords in the clear. Does that sound right?
However - it has not solved this problem. The password is still being
sent in the clear. I have /etc/ldap.conf including the line:

pam_password md5

I was hoping that it ensure only hashed passwords would be sent to the
FDS server. Any other ideas how to fix this?

Andy
> 
> Thanks 
> Andy
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

On Thu, 29 Mar 2007, Andy Schofield wrote:
> I want the passwords for all Users in People to be stored in md5.
> Everything I have done (like selecting a user and "Managing
passwords"
> leaves them in SSHA which is presumably some default.
You can change the default password storage scheme by modifying cn=config 
passwordStorageScheme attribute. It should be in 
slapd-HOST/config/dse.ldif (look for "dn: cn=config"), if not then you
can
add the attribute.

You can also change it in the Console:
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1086306

I don''t think it affects passwords already stored, only new entries.

Hope this helps.

Ville

Andy Schofield wrote:
>> My real problem is that clients are broadcasting passwords in the
>> clear (despite pam being told to use md5 with ldap). I am assuming
>> that is because the ldap server is using SSHA and pam is using md5 so
>> they negotiate to send passwords in the clear. Does that sound right?
>>     
>
> However - it has not solved this problem. The password is still being
> sent in the clear. I have /etc/ldap.conf including the line:
>   
What you need is not a hashed password sent over the wire (which 
achieves very little) but an encrypted transport using SSL, or SASL and 
kerberos.

-- 
Pete

>
> However - it has not solved this problem. The password is still being
> sent in the clear. I have /etc/ldap.conf including the line:
>
> pam_password md5
pam_password controls how new passwords are hashed locally before 
updating an account''s password attribute, i.e. when someone changes 
their password.

If you want the hash setting on the server to always be honored, use 
"pam_password clear".

Comments from PADL''s ldap.conf:

# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear



Pete Rowley wrote:
> Andy Schofield wrote:
>>> My real problem is that clients are broadcasting passwords in the
>>> clear (despite pam being told to use md5 with ldap). I am assuming
>>> that is because the ldap server is using SSHA and pam is using md5
so
>>> they negotiate to send passwords in the clear. Does that sound
right?
>>>     
>>
>> However - it has not solved this problem. The password is still being
>> sent in the clear. I have /etc/ldap.conf including the line:
>>   
> What you need is not a hashed password sent over the wire (which 
> achieves very little) but an encrypted transport using SSL, or SASL 
> and kerberos.
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

On Thu, 29 Mar 2007 10:38:05 -0700
Pete Rowley <prowley@redhat.com> wrote:
> > However - it has not solved this problem. The password is still
> > being sent in the clear. I have /etc/ldap.conf including the line:
> >   
> What you need is not a hashed password sent over the wire (which 
> achieves very little) but an encrypted transport using SSL, or SASL
> and kerberos.
Yes - I agree and I am working on getting SSL going.

However, a hashed password is better than nothing surely. Even NIS
didn''t sent passwords in the clear. 

But I see that the /etc/ldap.conf line I have been playing with only
affects password updates and probably there is nothing I can do to
prevent clear passwords apart from SSL. (Just as George points out)

Thanks
Andy
> 
> -- 
> Pete
>

Andy Schofield wrote:
> However, a hashed password is better than nothing surely. Even NIS
> didn''t sent passwords in the clear. 
>   
Not from the DS point of view - if it accepts a hashed password in the 
bind then that is equivalent to the original password, so nothing is 
really achieved. It /may/ delay the ability of an attacker to log in to 
a machine using LDAP as the authentication mechanism, but md5 has known 
vulnerabilities in that regard and cannot be recommended.

-- 
Pete