4:13 p.m.
This is a multi-part message in MIME format.
------------MIME-298306900-1749159437-delim
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
On 01/22/2015 01=3A47 PM=2C Alon Bar-Lev wrote=3A
=3E
=3E ----- Original Message -----
=3E=3E From=3A =22Jorick Astrego=22 =3Cj=2Eastrego=40netbulae=2Eeu=3E
=3E=3E To=3A users=40ovirt=2Eorg
=3E=3E Sent=3A Thursday=2C January 22=2C 2015 2=3A30=3A30 PM
=3E=3E Subject=3A Re=3A =5Bovirt-users=5D oVirt 3=2E5 and FreeIpa
=3E=3E
=3E=3E=3E=3E=3E=3E Just a couple of addtions=2C please hash the password wi=
th SSHA =28I really
=3E=3E=3E=3E=3E=3E hate
=3E=3E=3E=3E=3E=3E plain text admin passwords=2E=2E=2E=29
=3E=3E=3E=3E=3E=3E I tried putting an =7BSSHA=7D encoded password in =22 va=
rs=2Epassword =3D=22 =2C but
=3E=3E=3E=3E=3E=3E it
=3E=3E=3E=3E=3E=3E fails to authenticate while plain text works fine=2E
=3E=3E=3E=3E=3E I am unsure I understand=2E
=3E=3E=3E=3E=3E using hash to store password hint at server side makes sens=
e=2E
=3E=3E=3E=3E=3E but using hash to store password at client side does not ma=
kes sens=2C this
=3E=3E=3E=3E=3E means that if I get the server database I can authenticate=
to any user
=3E=3E=3E=3E=3E without knowing his password=2E
=3E=3E=3E=3E=3E
=3E=3E=3E=3E=3E Also=2C please note that the user you specify within config=
uration should
=3E=3E=3E=3E=3E not
=3E=3E=3E=3E=3E have any special privilege but to query public objects with=
in ldap=2E
=3E=3E=3E=3E I don=27t like storing plain text in textfiles=2C so I try to=
avoid it=2E Even
=3E=3E=3E=3E if it is a read only user there are no =22public=22 objects th=
at I like to
=3E=3E=3E=3E expose to anyone=2E I can query groups=2C group members=2C e-m=
ail addresses=2C
=3E=3E=3E=3E krbPasswordExpiration=2C krbLastPwdChange etc=2E with this use=
r=2E
=3E=3E=3E=3E
=3E=3E=3E=3E So that=27s why I try to have the bind user password hashed in=
the
=3E=3E=3E=3E properties file=2E
=3E=3E=3E as I wrote above=2C storing hash instead of password does not enh=
ance
=3E=3E=3E security=2E
=3E=3E=3E it is the same as if you just set the user=27s password to the ha=
sh=2E
=3E=3E Ah yes=2C silly me=2E You are absolutely
=3E=3E right=2E It has been such a long
=3E=3E habit=2E=2E=2E But it does help when people intercept the traffic=2E=
=3E No it is not=2E=2E=2E exactly the opposite=2E=2E=2E if the hash is sent=
it is actually weaker than password=2C as it has lower diversity=2E
=3E If you wish you can enable digest-MD5 and use SASL=2C but still you mus=
t store the plain password at client side=2E
=3E
=3E=3E Does the
=3E=3E ldap plugin send it hashed to the ldap server=3F
=3E=3E
=3E=3E I think FreeIPA supports salted sha512 but I=27m not entirely sure=
=2E
=3E=3E
=3E=3E You=27ll probably say that I need to enable TLS=2C but there have be=
en many
=3E=3E weaknesses in ssl and MITM issues=2E So more is always better in a=
=3E=3E security perspective=2E
=3E=3E
=3E Using plain protocol will always be weaker than using TLS=2C even if yo=
u use digest-MD5=2C kerberos or any other challenge-response mechanism=2E=
=3E As the password must be kept at client side no mater what protocol you=
use=2C using TLS and simple bind is the minimum you can have=2E
=3E I believe that TLS + simple bind is sufficient for most usages for a us=
er that has no special access to information=2E
=3E From my experience enabling SASL does have its issues=2C but you may wa=
nt to check it out if you do not trust TLS=2C but even if you use SASL=2C b=
etter to use it over TLS=2E
=3E
=3E Alon
Thanks for clarifying! So I was thought wrong all these years ago =3B-=29=
Met vriendelijke groet=2C With kind regards=2C
Jorick Astrego
Netbulae Virtualization Experts=20
----------------
=09Tel=3A 053 20 30 270 =09info=40netbulae=2Eeu =09Staalsteden 4-3A =09KvK=
08198180
=09Fax=3A 053 20 30 271 =09www=2Enetbulae=2Eeu =097547 TA Enschede =09BTW=
NL821234584B01
----------------
------------MIME-298306900-1749159437-delim
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
=3Chtml=3E
=3Cbody=3E
<br>
On 01/22/2015 01:47 PM, Alon Bar-Lev wrote: <br>
<font color=3D"#000000">> </font><br>
<font color=3D"#000000">> ----- Original Message
----- </font><br>
<font color=3D"#000000">>> From: "Jorick
Astrego" <j.ast=
rego@<a
href=3D"mailto:netbulae.eu">netbulae.eu</a>> </font><br>
<font color=3D"#000000">>> To: users@<a
href=3D"mailto:ovirt.org">ovi=
rt.org</a> </font><br>
<font color=3D"#000000">>> Sent: Thursday, January 22, 2015
2:30:30 P=
M </font><br>
<font color=3D"#000000">>> Subject: Re: [ovirt-users] oVirt
3.5 and F=
reeIpa </font><br>
<font color=3D"#000000">>> </font><br>
<font color=3D"#000000">>>>>>>
Just a couple of addtions,=
please hash the password with SSHA (I really </font><br>
<font color=3D"#000000">>>>>>>
hate </font><br>
<font color=3D"#000000">>>>>>>
plain text admin passwords=
...) </font><br>
<font color=3D"#000000">>>>>>> I
tried putting an {SSHA} =
encoded password in " vars.password =3D" ,
but </font><br>
<font color=3D"#000000">>>>>>>
it </font><br>
<font color=3D"#000000">>>>>>>
fails to authenticate whil=
e plain text works fine. </font><br>
<font color=3D"#000000">>>>>> I am
unsure I understand. =
</font><br>
<font color=3D"#000000">>>>>> using
hash to store password h=
int at server side makes sense. </font><br>
<font color=3D"#000000">>>>>> but using
hash to store passwo=
rd at client side does not makes sens, this </font><br>
<font color=3D"#000000">>>>>> means
that if I get the server=
database I can authenticate to any user </font><br>
<font color=3D"#000000">>>>>> without
knowing his password.&=
#13;</font><br>
<font
color=3D"#000000">>>>>> </font><br>
<font color=3D"#000000">>>>>> Also,
please note that the use=
r you specify within configuration should </font><br>
<font color=3D"#000000">>>>>>
not </font><br>
<font color=3D"#000000">>>>>> have any
special privilege but=
to query public objects within ldap. </font><br>
<font color=3D"#000000">>>>> I don't like
storing plain text in=
textfiles, so I try to avoid it. Even </font><br>
<font color=3D"#000000">>>>> if it is a read
only user there ar=
e no "public" objects that I like to </font><br>
<font color=3D"#000000">>>>> expose to anyone.
I can query grou=
ps, group members, e-mail addresses, </font><br>
<font color=3D"#000000">>>>>
krbPasswordExpiration, krbLastPwdC=
hange etc. with this user. </font><br>
<font
color=3D"#000000">>>>> </font><br>
<font color=3D"#000000">>>>> So that's why
I try to have the bi=
nd user password hashed in the </font><br>
<font color=3D"#000000">>>>> properties
file. </font><br>
<font color=3D"#000000">>>> as I wrote above, storing
hash instead=
of password does not enhance </font><br>
<font color=3D"#000000">>>>
security. </font><br>
<font color=3D"#000000">>>> it is the same as if you
just set the =
user's password to the hash. </font><br>
<font color=3D"#000000">>> Ah yes, silly me. You are
absolutely <=
/font><br>
<font color=3D"#000000">>> right. It has been such a
long </font>=
<br>
<font color=3D"#000000">>> habit... But it does help when
people inte=
rcept the traffic. </font><br>
<font color=3D"#000000">> No it is not... exactly the opposite...
if the=
hash is sent it is actually weaker than password, as it has lower diversit=
y. </font><br>
<font color=3D"#000000">> If you wish you can enable digest-MD5 and
use =
SASL, but still you must store the plain password at client side. </fon=
t><br>
<font color=3D"#000000">> </font><br>
<font color=3D"#000000">>> Does
the </font><br>
<font color=3D"#000000">>> ldap plugin send it hashed to the
ldap ser=
ver? </font><br>
<font color=3D"#000000">>> </font><br>
<font color=3D"#000000">>> I think FreeIPA supports salted
sha512 but=
I'm not entirely sure. </font><br>
<font color=3D"#000000">>> </font><br>
<font color=3D"#000000">>> You'll probably say that I
need to enable =
TLS, but there have been many </font><br>
<font color=3D"#000000">>> weaknesses in ssl and MITM
issues. So more=
is always better in a </font><br>
<font color=3D"#000000">>> security
perspective. </font><br>
<font color=3D"#000000">>> </font><br>
<font color=3D"#000000">> Using plain protocol will always be
weaker tha=
n using TLS, even if you use digest-MD5, kerberos or any other challenge-re=
sponse mechanism. </font><br>
<font color=3D"#000000">> As the password must be kept at client
side no=
mater what protocol you use, using TLS and simple bind is the minimum you =
can have. </font><br>
<font color=3D"#000000">> I believe that TLS + simple bind is
sufficient=
for most usages for a user that has no special access to information. =
</font><br>
<font color=3D"#000000">> From my experience enabling SASL does
have its=
issues, but you may want to check it out if you do not trust TLS, but even=
if you use SASL, better to use it over TLS. </font><br>
<font color=3D"#000000">> </font><br>
<font color=3D"#000000">> Alon </font><br>
Thanks for clarifying! So I was thought wrong all these years ago ;-) <=
br>
<br>
<br>
<br>
<br>
=
=3CBR /=3E
=3CBR /=3E
=3Cb style=3D=22color=3A=23604c78=22=3E=3C/b=3E=3Cbr=3E=3Cspan style=3D=22c=
olor=3A=23604c78=3B=22=3E=3Cfont color=3D=22000000=22=3E=3Cspan style=3D=22=
mso-fareast-language=3Aen-gb=3B=22 lang=3D=22NL=22=3EMet vriendelijke groet=
=2C With kind regards=2C=3Cbr=3E=3Cbr=3E=3C/span=3EJorick Astrego=3C/font=
=3E=3C/span=3E=3Cb style=3D=22color=3A=23604c78=22=3E=3Cbr=3E=3Cbr=3ENetbul=
ae Virtualization Experts =3C/b=3E=3Cbr=3E=3Chr style=3D=22border=3Anone=3B=
border-top=3A1px solid =23ccc=3B=22=3E=3Ctable style=3D=22width=3A 522px=22=
=3E=3Ctbody=3E=3Ctr=3E=3Ctd style=3D=22width=3A 130px=3Bfont-size=3A 10px=
=22=3ETel=3A 053 20 30 270=3C/td=3E =3Ctd style=3D=22width=3A 130px=3Bf=
ont-size=3A 10px=22=3Einfo=40netbulae=2Eeu=3C/td=3E =3Ctd style=3D=22wid=
th=3A 130px=3Bfont-size=3A 10px=22=3EStaalsteden 4-3A=3C/td=3E =3Ctd sty=
le=3D=22width=3A 130px=3Bfont-size=3A 10px=22=3EKvK 08198180=3C/td=3E=3C/tr=
=3E=3Ctr=3E =3Ctd style=3D=22width=3A 130px=3Bfont-size=3A 10px=22=3EFax=
=3A 053 20 30 271=3C/td=3E =3Ctd style=3D=22width=3A 130px=3Bfont-size=
=3A 10px=22=3Ewww=2Enetbulae=2Eeu=3C/td=3E =3Ctd style=3D=22width=3A 130=
px=3Bfont-size=3A 10px=22=3E7547 TA Enschede=3C/td=3E =3Ctd style=3D=22w=
idth=3A 130px=3Bfont-size=3A 10px=22=3EBTW NL821234584B01=3C/td=3E=3C/tr=3E=
=3C/tbody=3E=3C/table=3E=3Cbr=3E=3Chr style=3D=22border=3Anone=3Bborder-top=
=3A1px solid =23ccc=3B=22=3E=3CBR /=3E
=3C/body=3E
=3C/html=3E
------------MIME-298306900-1749159437-delim--