This is a multi-part message in MIME format. ------------MIME-298306900-1749159437-delim Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On 01/22/2015 01=3A47 PM=2C Alon Bar-Lev wrote=3A =3E =3E ----- Original Message ----- =3E=3E From=3A =22Jorick Astrego=22 =3Cj=2Eastrego=40netbulae=2Eeu=3E =3E=3E To=3A users=40ovirt=2Eorg =3E=3E Sent=3A Thursday=2C January 22=2C 2015 2=3A30=3A30 PM =3E=3E Subject=3A Re=3A =5Bovirt-users=5D oVirt 3=2E5 and FreeIpa =3E=3E =3E=3E=3E=3E=3E=3E Just a couple of addtions=2C please hash the password wi= th SSHA =28I really =3E=3E=3E=3E=3E=3E hate =3E=3E=3E=3E=3E=3E plain text admin passwords=2E=2E=2E=29 =3E=3E=3E=3E=3E=3E I tried putting an =7BSSHA=7D encoded password in =22 va= rs=2Epassword =3D=22 =2C but =3E=3E=3E=3E=3E=3E it =3E=3E=3E=3E=3E=3E fails to authenticate while plain text works fine=2E =3E=3E=3E=3E=3E I am unsure I understand=2E =3E=3E=3E=3E=3E using hash to store password hint at server side makes sens= e=2E =3E=3E=3E=3E=3E but using hash to store password at client side does not ma= kes sens=2C this =3E=3E=3E=3E=3E means that if I get the server database I can authenticate= to any user =3E=3E=3E=3E=3E without knowing his password=2E =3E=3E=3E=3E=3E =3E=3E=3E=3E=3E Also=2C please note that the user you specify within config= uration should =3E=3E=3E=3E=3E not =3E=3E=3E=3E=3E have any special privilege but to query public objects with= in ldap=2E =3E=3E=3E=3E I don=27t like storing plain text in textfiles=2C so I try to= avoid it=2E Even =3E=3E=3E=3E if it is a read only user there are no =22public=22 objects th= at I like to =3E=3E=3E=3E expose to anyone=2E I can query groups=2C group members=2C e-m= ail addresses=2C =3E=3E=3E=3E krbPasswordExpiration=2C krbLastPwdChange etc=2E with this use= r=2E =3E=3E=3E=3E =3E=3E=3E=3E So that=27s why I try to have the bind user password hashed in= the =3E=3E=3E=3E properties file=2E =3E=3E=3E as I wrote above=2C storing hash instead of password does not enh= ance =3E=3E=3E security=2E =3E=3E=3E it is the same as if you just set the user=27s password to the ha= sh=2E =3E=3E Ah yes=2C silly me=2E You are absolutely =3E=3E right=2E It has been such a long =3E=3E habit=2E=2E=2E But it does help when people intercept the traffic=2E= =3E No it is not=2E=2E=2E exactly the opposite=2E=2E=2E if the hash is sent= it is actually weaker than password=2C as it has lower diversity=2E =3E If you wish you can enable digest-MD5 and use SASL=2C but still you mus= t store the plain password at client side=2E =3E =3E=3E Does the =3E=3E ldap plugin send it hashed to the ldap server=3F =3E=3E =3E=3E I think FreeIPA supports salted sha512 but I=27m not entirely sure= =2E =3E=3E =3E=3E You=27ll probably say that I need to enable TLS=2C but there have be= en many =3E=3E weaknesses in ssl and MITM issues=2E So more is always better in a= =3E=3E security perspective=2E =3E=3E =3E Using plain protocol will always be weaker than using TLS=2C even if yo= u use digest-MD5=2C kerberos or any other challenge-response mechanism=2E= =3E As the password must be kept at client side no mater what protocol you= use=2C using TLS and simple bind is the minimum you can have=2E =3E I believe that TLS + simple bind is sufficient for most usages for a us= er that has no special access to information=2E =3E From my experience enabling SASL does have its issues=2C but you may wa= nt to check it out if you do not trust TLS=2C but even if you use SASL=2C b= etter to use it over TLS=2E =3E =3E Alon Thanks for clarifying! So I was thought wrong all these years ago =3B-=29= Met vriendelijke groet=2C With kind regards=2C Jorick Astrego Netbulae Virtualization Experts=20 ---------------- =09Tel=3A 053 20 30 270 =09info=40netbulae=2Eeu =09Staalsteden 4-3A =09KvK= 08198180 =09Fax=3A 053 20 30 271 =09www=2Enetbulae=2Eeu =097547 TA Enschede =09BTW= NL821234584B01 ---------------- ------------MIME-298306900-1749159437-delim Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable =3Chtml=3E =3Cbody=3E <br> On 01/22/2015 01:47 PM, Alon Bar-Lev wrote: <br> <font color=3D"#000000">> </font><br> <font color=3D"#000000">> ----- Original Message ----- </font><br> <font color=3D"#000000">>> From: "Jorick Astrego" <j.ast= rego@<a href=3D"mailto:netbulae.eu">netbulae.eu</a>> </font><br> <font color=3D"#000000">>> To: users@<a href=3D"mailto:ovirt.org">ovi= rt.org</a> </font><br> <font color=3D"#000000">>> Sent: Thursday, January 22, 2015 2:30:30 P= M </font><br> <font color=3D"#000000">>> Subject: Re: [ovirt-users] oVirt 3.5 and F= reeIpa </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>>>>>> Just a couple of addtions,= please hash the password with SSHA (I really </font><br> <font color=3D"#000000">>>>>>> hate </font><br> <font color=3D"#000000">>>>>>> plain text admin passwords= ...) </font><br> <font color=3D"#000000">>>>>>> I tried putting an {SSHA} = encoded password in " vars.password =3D" , but </font><br> <font color=3D"#000000">>>>>>> it </font><br> <font color=3D"#000000">>>>>>> fails to authenticate whil= e plain text works fine. </font><br> <font color=3D"#000000">>>>>> I am unsure I understand. = </font><br> <font color=3D"#000000">>>>>> using hash to store password h= int at server side makes sense. </font><br> <font color=3D"#000000">>>>>> but using hash to store passwo= rd at client side does not makes sens, this </font><br> <font color=3D"#000000">>>>>> means that if I get the server= database I can authenticate to any user </font><br> <font color=3D"#000000">>>>>> without knowing his password.&= #13;</font><br> <font color=3D"#000000">>>>>> </font><br> <font color=3D"#000000">>>>>> Also, please note that the use= r you specify within configuration should </font><br> <font color=3D"#000000">>>>>> not </font><br> <font color=3D"#000000">>>>>> have any special privilege but= to query public objects within ldap. </font><br> <font color=3D"#000000">>>>> I don't like storing plain text in= textfiles, so I try to avoid it. Even </font><br> <font color=3D"#000000">>>>> if it is a read only user there ar= e no "public" objects that I like to </font><br> <font color=3D"#000000">>>>> expose to anyone. I can query grou= ps, group members, e-mail addresses, </font><br> <font color=3D"#000000">>>>> krbPasswordExpiration, krbLastPwdC= hange etc. with this user. </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> So that's why I try to have the bi= nd user password hashed in the </font><br> <font color=3D"#000000">>>>> properties file. </font><br> <font color=3D"#000000">>>> as I wrote above, storing hash instead= of password does not enhance </font><br> <font color=3D"#000000">>>> security. </font><br> <font color=3D"#000000">>>> it is the same as if you just set the = user's password to the hash. </font><br> <font color=3D"#000000">>> Ah yes, silly me. You are absolutely <= /font><br> <font color=3D"#000000">>> right. It has been such a long </font>= <br> <font color=3D"#000000">>> habit... But it does help when people inte= rcept the traffic. </font><br> <font color=3D"#000000">> No it is not... exactly the opposite... if the= hash is sent it is actually weaker than password, as it has lower diversit= y. </font><br> <font color=3D"#000000">> If you wish you can enable digest-MD5 and use = SASL, but still you must store the plain password at client side. </fon= t><br> <font color=3D"#000000">> </font><br> <font color=3D"#000000">>> Does the </font><br> <font color=3D"#000000">>> ldap plugin send it hashed to the ldap ser= ver? </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> I think FreeIPA supports salted sha512 but= I'm not entirely sure. </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> You'll probably say that I need to enable = TLS, but there have been many </font><br> <font color=3D"#000000">>> weaknesses in ssl and MITM issues. So more= is always better in a </font><br> <font color=3D"#000000">>> security perspective. </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">> Using plain protocol will always be weaker tha= n using TLS, even if you use digest-MD5, kerberos or any other challenge-re= sponse mechanism. </font><br> <font color=3D"#000000">> As the password must be kept at client side no= mater what protocol you use, using TLS and simple bind is the minimum you = can have. </font><br> <font color=3D"#000000">> I believe that TLS + simple bind is sufficient= for most usages for a user that has no special access to information. = </font><br> <font color=3D"#000000">> From my experience enabling SASL does have its= issues, but you may want to check it out if you do not trust TLS, but even= if you use SASL, better to use it over TLS. </font><br> <font color=3D"#000000">> </font><br> <font color=3D"#000000">> Alon </font><br> Thanks for clarifying! So I was thought wrong all these years ago ;-) <= br> <br> <br> <br> <br> = =3CBR /=3E =3CBR /=3E =3Cb style=3D=22color=3A=23604c78=22=3E=3C/b=3E=3Cbr=3E=3Cspan style=3D=22c= olor=3A=23604c78=3B=22=3E=3Cfont color=3D=22000000=22=3E=3Cspan style=3D=22= mso-fareast-language=3Aen-gb=3B=22 lang=3D=22NL=22=3EMet vriendelijke groet= =2C With kind regards=2C=3Cbr=3E=3Cbr=3E=3C/span=3EJorick Astrego=3C/font= =3E=3C/span=3E=3Cb style=3D=22color=3A=23604c78=22=3E=3Cbr=3E=3Cbr=3ENetbul= ae Virtualization Experts =3C/b=3E=3Cbr=3E=3Chr style=3D=22border=3Anone=3B= border-top=3A1px solid =23ccc=3B=22=3E=3Ctable style=3D=22width=3A 522px=22= =3E=3Ctbody=3E=3Ctr=3E=3Ctd style=3D=22width=3A 130px=3Bfont-size=3A 10px= =22=3ETel=3A 053 20 30 270=3C/td=3E =3Ctd style=3D=22width=3A 130px=3Bf= ont-size=3A 10px=22=3Einfo=40netbulae=2Eeu=3C/td=3E =3Ctd style=3D=22wid= th=3A 130px=3Bfont-size=3A 10px=22=3EStaalsteden 4-3A=3C/td=3E =3Ctd sty= le=3D=22width=3A 130px=3Bfont-size=3A 10px=22=3EKvK 08198180=3C/td=3E=3C/tr= =3E=3Ctr=3E =3Ctd style=3D=22width=3A 130px=3Bfont-size=3A 10px=22=3EFax= =3A 053 20 30 271=3C/td=3E =3Ctd style=3D=22width=3A 130px=3Bfont-size= =3A 10px=22=3Ewww=2Enetbulae=2Eeu=3C/td=3E =3Ctd style=3D=22width=3A 130= px=3Bfont-size=3A 10px=22=3E7547 TA Enschede=3C/td=3E =3Ctd style=3D=22w= idth=3A 130px=3Bfont-size=3A 10px=22=3EBTW NL821234584B01=3C/td=3E=3C/tr=3E= =3C/tbody=3E=3C/table=3E=3Cbr=3E=3Chr style=3D=22border=3Anone=3Bborder-top= =3A1px solid =23ccc=3B=22=3E=3CBR /=3E =3C/body=3E =3C/html=3E ------------MIME-298306900-1749159437-delim--