IETF Logo Mail Archive

Re: [ldapext] draft-stroeder-hashed-userpassword-values-01

Hallvard Breien Furuseth <h.b.furuseth@usit.uio.no> Sat, 16 March 2013 03:54 UTC

Return-Path: <hbf@ulrik.uio.no>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E6041F0D0F for <ldapext@ietfa.amsl.com>; Fri, 15 Mar 2013 20:54:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M2JRAyRqexgO for <ldapext@ietfa.amsl.com>; Fri, 15 Mar 2013 20:54:26 -0700 (PDT)
Received: from mail-out1.uio.no (mail-out1.uio.no [IPv6:2001:700:100:10::57]) by ietfa.amsl.com (Postfix) with ESMTP id AFA0B21F8945 for <ldapext@ietf.org>; Fri, 15 Mar 2013 20:54:25 -0700 (PDT)
Received: from mail-mx3.uio.no ([129.240.10.44]) by mail-out1.uio.no with esmtp (Exim 4.75) (envelope-from <hbf@ulrik.uio.no>) id 1UGiCO-00067j-Gp; Sat, 16 Mar 2013 04:54:24 +0100
Received: from bombur.uio.no ([129.240.6.233]) by mail-mx3.uio.no with esmtp (Exim 4.80) (envelope-from <hbf@ulrik.uio.no>) id 1UGiCO-0005g5-2H; Sat, 16 Mar 2013 04:54:24 +0100
Received: by bombur.uio.no (Postfix, from userid 2112) id 4337B562; Sat, 16 Mar 2013 04:54:22 +0100 (CET)
From: Hallvard Breien Furuseth <h.b.furuseth@usit.uio.no>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <hbf.20130316lv63@bombur.uio.no>
Date: Sat, 16 Mar 2013 04:54:22 +0100
To: Michael Ströder <michael@stroeder.com>
In-Reply-To: <51439BCF.3080802@stroeder.com>
References: <5103F924.2070800@stroeder.com> <CABBgLkcnK7WfthFOBD5Esfz+g1izcKoGgtxzKKDntc0i=E7LOQ@mail.gmail.com> <510782A6.7050209@stroeder.com> <3ED81CD8-59DA-482E-8AFA-C68E53A62067@isode.com> <51410020.4020800@stroeder.com> <20130315125326.GA22595@slab.skills-1st.co.uk> <51439BCF.3080802@stroeder.com>
X-Mailer: VM 8.2.0a under 23.1.1 (x86_64-redhat-linux-gnu)
X-UiO-Ratelimit-Test: rcpts/h 6 msgs/h 2 sum rcpts/h 7 sum msgs/h 3 total rcpts 242 max rcpts/h 12 ratelimit 0
X-UiO-Spam-info: not spam, SpamAssassin (score=-5.6, required=5.0, autolearn=disabled, RP_MATCHES_RCVD=-0.552, UIO_MAIL_IS_INTERNAL=-5, uiobl=NO, uiouri=NO)
X-UiO-Scanned: CDA2D7FD9A47A98F0E4D9846820957A377BDB041
X-UiO-SPAM-Test: remote_host: 129.240.6.233 spam_score: -55 maxlevel 80 minaction 1 bait 0 mail/h: 2 total 373 max/h 10 blacklist 0 greylist 1 ratelimit 0
Cc: ldap@umich.edu, Andrew Findlay <andrew.findlay@skills-1st.co.uk>, ldapext@ietf.org
Subject: Re: [ldapext] draft-stroeder-hashed-userpassword-values-01
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldapext>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Mar 2013 03:54:27 -0000

I'm not convinced that this much detail is useful, but anyway:

You can document existing practice and recommend what implementations'
practice ought to be, but should say that the implementation's doc is
authoritative.  What implementations have you surveyed for that
existing practice?

If we generate 'userPassword's which this document says is OK but the
implementation does not support, then Bind can break in interesting
ways.  So users MUST NOT trust this document if the implementation
differs, which they must read the implementation doc to discover.

E.g. some implementation might have a scheme {SSHA} with a different
syntax like <hash "$" salt>.  Or:

>   Implementations MUST be prepared of handling field salt of arbitrary
>   length.

Who wants megabyte-sized salts?  It seems reasonable for the
implementation to set some arbitrary limit.  Both for convenience
and because you could do a DoS attack by setting a huge salt and
repeatedly Bind, forcing the server to hash a large value often.

================

Unix crypt(3):

This is a function, not a library.  Drop the 3 since non-Unix people
will wonder why we're passing 3 to the function.

The definition should boil down to "whatever crypt() returns on this
host", which is no more yucky than the notes above other schemes:-)
Perhaps less so since there's no point in giving a syntax, crypt()
should be used to both generate the hash and verify a password.

Please and add a reference to the quite general definition in the
Single Unix Specification at <http://www.unix.org/online.html>
functions/crypt.html.  It's free, but you must register to read it.

================

An EXAMPLES section with the same value and hash in different schemes
would be useful - including Linux {crypt}$1$ (salted MD5) and {SMD5}.

================

>>    Any value which do not adhere to this syntax MAY be treated as
>>    clear-text password (...)
>
> I know that this sounds kinda problematic but what is the actual risk?

Umm... The reason we use hashes at all is that if someone knows the
attribute value, he can't just type it in and Bind with it.

Please add the {CLEARTEXT} scheme from OpenLDAP for this purpose.
RECOMMEND that servers are configured to not recognize userPassword
values without a scheme.  And maybe that this config is the default.

================

>> There's no reason someone can't come along and use an unconstrained
>> octet string after the scheme, if they really want to.
>
> Yes. But this would just be another scheme to be defined somewhere
> else.  This draft does not claim to cover everything you could ever
> stuff into 'userPassword'.

Yes it does.  The sentence
   "userPassword values MUST be represented by following syntax:"
claims to cover everything you could ever stuff into 'userPassword',
and thus that anything using different userPassword syntax is invalid.
That is wrong for schemes like {CRYPT} with different syntax, and
for servers which treat "{scheme}foo" as a cleartext password.

Instead you can say:
- Generally, syntax "{" scheme "}" scheme-parameters / cleartext pw
  like someone said.  Leave scheme-parameters unspecified.
- [The following listed schemes] share [the following more specific
  scheme-parameters definition].

Note that scheme-parameters need not involve a hashing or a password.
In OpenLDAP, {CLEARTEXT} does not hash.  I think {SASL} need not
encode the password either, just tell SASL where to find auth info.

================

The draft can RECOMMEND that clients avoid needing to know anything
about password formats by using the Password Modify operation (RFC
3062) when feasible.

Provided the server will then hash the password if it is stored in
userPassword, anyway.  Which it hopefully will.  But RFC 3062 says
nothing about hashing in that case.  Should it be updated to do so?

Use cases at our site for generating {scheme}hash:
- Importing user info including userPassword from the SQL user
  database - which does not keep the cleartext passwords.
- Multiple passwords in one entry, typically during the transition
  when changing the password for an LDAP service DN.

MUST userPassword in an object class may be broken, but RFC 1274
defines simpleSecurityObject (AUXILIARY MUST userPassword) anyway.
For use with classes like 'account' which lack userPassword.  Might
be about time to define simpleSecurityObject2 using 'MAY' instead.

-- 
Hallvard

v2.23.0 | Report a Bug | By Email