<html>
<body>
<br>
On 01/22/2015 01:47 PM, Alon Bar-Lev wrote: <br>
<font color="#000000">> </font><br>
<font color="#000000">> ----- Original Message ----- </font><br>
<font color="#000000">>> From: "Jorick Astrego" <j.astrego@<a href="mailto:netbulae.eu">netbulae.eu</a>> </font><br>
<font color="#000000">>> To: users@<a href="mailto:ovirt.org">ovirt.org</a> </font><br>
<font color="#000000">>> Sent: Thursday, January 22, 2015 2:30:30 PM </font><br>
<font color="#000000">>> Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa </font><br>
<font color="#000000">>> </font><br>
<font color="#000000">>>>>>> Just a couple of addtions, please hash the password with SSHA (I really </font><br>
<font color="#000000">>>>>>> hate </font><br>
<font color="#000000">>>>>>> plain text admin passwords...) </font><br>
<font color="#000000">>>>>>> I tried putting an {SSHA} encoded password in " vars.password =" , but </font><br>
<font color="#000000">>>>>>> it </font><br>
<font color="#000000">>>>>>> fails to authenticate while plain text works fine. </font><br>
<font color="#000000">>>>>> I am unsure I understand. </font><br>
<font color="#000000">>>>>> using hash to store password hint at server side makes sense. </font><br>
<font color="#000000">>>>>> but using hash to store password at client side does not makes sens, this </font><br>
<font color="#000000">>>>>> means that if I get the server database I can authenticate to any user </font><br>
<font color="#000000">>>>>> without knowing his password. </font><br>
<font color="#000000">>>>>> </font><br>
<font color="#000000">>>>>> Also, please note that the user you specify within configuration should </font><br>
<font color="#000000">>>>>> not </font><br>
<font color="#000000">>>>>> have any special privilege but to query public objects within ldap. </font><br>
<font color="#000000">>>>> I don't like storing plain text in textfiles, so I try to avoid it. Even </font><br>
<font color="#000000">>>>> if it is a read only user there are no "public" objects that I like to </font><br>
<font color="#000000">>>>> expose to anyone. I can query groups, group members, e-mail addresses, </font><br>
<font color="#000000">>>>> krbPasswordExpiration, krbLastPwdChange etc. with this user. </font><br>
<font color="#000000">>>>> </font><br>
<font color="#000000">>>>> So that's why I try to have the bind user password hashed in the </font><br>
<font color="#000000">>>>> properties file. </font><br>
<font color="#000000">>>> as I wrote above, storing hash instead of password does not enhance </font><br>
<font color="#000000">>>> security. </font><br>
<font color="#000000">>>> it is the same as if you just set the user's password to the hash. </font><br>
<font color="#000000">>> Ah yes, silly me. You are absolutely </font><br>
<font color="#000000">>> right. It has been such a long </font><br>
<font color="#000000">>> habit... But it does help when people intercept the traffic. </font><br>
<font color="#000000">> No it is not... exactly the opposite... if the hash is sent it is actually weaker than password, as it has lower diversity. </font><br>
<font color="#000000">> If you wish you can enable digest-MD5 and use SASL, but still you must store the plain password at client side. </font><br>
<font color="#000000">> </font><br>
<font color="#000000">>> Does the </font><br>
<font color="#000000">>> ldap plugin send it hashed to the ldap server? </font><br>
<font color="#000000">>> </font><br>
<font color="#000000">>> I think FreeIPA supports salted sha512 but I'm not entirely sure. </font><br>
<font color="#000000">>> </font><br>
<font color="#000000">>> You'll probably say that I need to enable TLS, but there have been many </font><br>
<font color="#000000">>> weaknesses in ssl and MITM issues. So more is always better in a </font><br>
<font color="#000000">>> security perspective. </font><br>
<font color="#000000">>> </font><br>
<font color="#000000">> Using plain protocol will always be weaker than using TLS, even if you use digest-MD5, kerberos or any other challenge-response mechanism. </font><br>
<font color="#000000">> As the password must be kept at client side no mater what protocol you use, using TLS and simple bind is the minimum you can have. </font><br>
<font color="#000000">> I believe that TLS + simple bind is sufficient for most usages for a user that has no special access to information. </font><br>
<font color="#000000">> From my experience enabling SASL does have its issues, but you may want to check it out if you do not trust TLS, but even if you use SASL, better to use it over TLS. </font><br>
<font color="#000000">> </font><br>
<font color="#000000">> Alon </font><br>
Thanks for clarifying! So I was thought wrong all these years ago ;-) <br>
<br>
<br>
<br>
<br>
<BR />
<BR />
<b style="color:#604c78"></b><br><span style="color:#604c78;"><font color="000000"><span style="mso-fareast-language:en-gb;" lang="NL">Met vriendelijke groet, With kind regards,<br><br></span>Jorick Astrego</font></span><b style="color:#604c78"><br><br>Netbulae Virtualization Experts </b><br><hr style="border:none;border-top:1px solid #ccc;"><table style="width: 522px"><tbody><tr><td style="width: 130px;font-size: 10px">Tel: 053 20 30 270</td> <td style="width: 130px;font-size: 10px">info@netbulae.eu</td> <td style="width: 130px;font-size: 10px">Staalsteden 4-3A</td> <td style="width: 130px;font-size: 10px">KvK 08198180</td></tr><tr> <td style="width: 130px;font-size: 10px">Fax: 053 20 30 271</td> <td style="width: 130px;font-size: 10px">www.netbulae.eu</td> <td style="width: 130px;font-size: 10px">7547 TA Enschede</td> <td style="width: 130px;font-size: 10px">BTW NL821234584B01</td></tr></tbody></table><br><hr style="border:none;border-top:1px solid #ccc;"><BR />
</body>
</html>