[ovirt-users] oVirt 3.5 and FreeIpa
Jorick Astrego
j.astrego at netbulae.eu
Thu Jan 22 13:13:59 UTC 2015
On 01/22/2015 01:47 PM, Alon Bar-Lev wrote:
>
> ----- Original Message -----
>> From: "Jorick Astrego" <j.astrego at netbulae.eu>
>> To: users at ovirt.org
>> Sent: Thursday, January 22, 2015 2:30:30 PM
>> Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa
>>
>>>>>> Just a couple of addtions, please hash the password with SSHA (I really
>>>>>> hate
>>>>>> plain text admin passwords...)
>>>>>> I tried putting an {SSHA} encoded password in " vars.password =" , but
>>>>>> it
>>>>>> fails to authenticate while plain text works fine.
>>>>> I am unsure I understand.
>>>>> using hash to store password hint at server side makes sense.
>>>>> but using hash to store password at client side does not makes sens, this
>>>>> means that if I get the server database I can authenticate to any user
>>>>> without knowing his password.
>>>>>
>>>>> Also, please note that the user you specify within configuration should
>>>>> not
>>>>> have any special privilege but to query public objects within ldap.
>>>> I don't like storing plain text in textfiles, so I try to avoid it. Even
>>>> if it is a read only user there are no "public" objects that I like to
>>>> expose to anyone. I can query groups, group members, e-mail addresses,
>>>> krbPasswordExpiration, krbLastPwdChange etc. with this user.
>>>>
>>>> So that's why I try to have the bind user password hashed in the
>>>> properties file.
>>> as I wrote above, storing hash instead of password does not enhance
>>> security.
>>> it is the same as if you just set the user's password to the hash.
>> Ah yes, silly me. You are absolutely
>> right. It has been such a long
>> habit... But it does help when people intercept the traffic.
> No it is not... exactly the opposite... if the hash is sent it is actually weaker than password, as it has lower diversity.
> If you wish you can enable digest-MD5 and use SASL, but still you must store the plain password at client side.
>
>> Does the
>> ldap plugin send it hashed to the ldap server?
>>
>> I think FreeIPA supports salted sha512 but I'm not entirely sure.
>>
>> You'll probably say that I need to enable TLS, but there have been many
>> weaknesses in ssl and MITM issues. So more is always better in a
>> security perspective.
>>
> Using plain protocol will always be weaker than using TLS, even if you use digest-MD5, kerberos or any other challenge-response mechanism.
> As the password must be kept at client side no mater what protocol you use, using TLS and simple bind is the minimum you can have.
> I believe that TLS + simple bind is sufficient for most usages for a user that has no special access to information.
> From my experience enabling SASL does have its issues, but you may want to check it out if you do not trust TLS, but even if you use SASL, better to use it over TLS.
>
> Alon
Thanks for clarifying! So I was thought wrong all these years ago ;-)
Met vriendelijke groet, With kind regards,
Jorick Astrego
Netbulae Virtualization Experts
----------------
Tel: 053 20 30 270 info at netbulae.eu Staalsteden 4-3A KvK 08198180
Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede BTW NL821234584B01
----------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20150122/3390612b/attachment-0001.html>
More information about the Users
mailing list