[PROPOSAL] Add tests for supplementalCredentials, store other hash types

Stefan Metzmacher metze at samba.org
Wed Apr 5 13:43:39 UTC 2017 

Am 05.04.2017 um 12:49 schrieb Andrew Bartlett:
> On Wed, 2017-04-05 at 07:58 +1200, Andrew Bartlett via samba-technical
> wrote:
>> On Tue, 2017-04-04 at 10:24 +0200, Stefan Metzmacher via samba-
>> technical wrote:
>>> Am 04.04.2017 um 10:17 schrieb Stefan Metzmacher via samba-
>>> technical:
>>>>
>> RFC2307 says:
>> userPassword values MUST be represented by following syntax:
>>
>>         passwordvalue          = schemeprefix encryptedpassword
>>         schemeprefix           = "{" scheme "}"
>>         scheme                 = "crypt" / "md5" / "sha" / altscheme
>>         altscheme              = "x-" keystring
>>         encryptedpassword      = encrypted password
>>
>> The names {SHA256}, {SHA512} are 'altscheme' in this pattern, and
>> match
>> what is used in OpenLDAP for the password-hash parameter.  BTW, I'm
>> particularly interested in extending this to {ARGON2}, which OpenLDAP
>> is looking to move to. 

Ok, I didn't noticed that OpenLDAP really supports {SHA512},
{SSHA512} and similar once.

>> Additionally, if we make the scheme name {CRYPT}, it makes storing
>> multiple values more difficult (that name was what we were using for
>> the uniqueness).  
>>
>> On the flip side, if libc is moving faster than Samba, it allows an
>> option like OpenLDAP's
>>
>> password-crypt-salt-format "$1$%.8s"
>>
>> to access a new hash via crypt().  However this feels overly complex.
>>
>> As we already have SHA512 and SHA256 specified in your password sync
>> tools, I would like to keep those unambiguously handled using those
>> names. 
>>
>>>> Maybe a configuration like this:
>>>>
>>>> password hash openldap schemes =
>>>> or
>>>> password hash userpassword schemes =
>>>>
>>>>    {CRYPT}:alg=5:round=1500 {SSHA} {CRYPT}:alg=6
>>
>> At this stage we are trying to get a base implementation in.  I don't
>> mind it being extended to be a multi-valued parameter, but we are
>> trying to start with just one. 
> 
> I shouldn't have been so negative on this.  Gary has extended it in his
> branch to be multi-valued.

Thanks!

> No tests yet, and for now I think the
> 'rounds' parameter can apply equally to all the SHA* methods.

Are we sure it's supported everywhere?
An admin might need to export the hashes into different external
directories.

> On the other side, I'm still not a fan of generic {CRYPT}.  While
> shoehorned into the same interface, each new method takes a different
> set of arguments and needs a different length of salt.  OpenLDAP
> permits the user to supply a printf string to allow that.  I've put a
> user-controlled printf into Samba once before, but I still feel bad
> about it and don't want to repeat it. 

Yes, we can't allow printf style things.

>> In terms of how other software performs the configuration, I'll note:
>>
>> https://linux.die.net/man/8/pam_unix
>>
>> Here the algorithms are hard coded.  This is nice and easy for the
>> administrator to understand, rather than alg=5.  
>>
>>> Or "CryptSHA256:round=1500 SSHA CryptSHA512
>>> CryptSHA512:round=5000",
>>> in which cases if matches more what we have in 'samba-tool user
>>> getpassword',
>>> but then remove the the reference to RFC2307 from the docs.
>>
>> I don't see a need to remove the reference, as long as we use
>> {SHA512}
>> etc, as we also reference OpenLDAP's interpretation of that. 
>>
>>> If you add the magic with specifying 'round', please try to find a
>>> way
>>> to also add it to
>>> samba-tool user getpassword
>>
>> Passwords are complex, my strong preference is to keep this simple,
>> whatever we do.
> 
> Thanks for your feedback, and I'm sorry for being so negative this
> morning.  We will get something pretty great here, I'm sure!

Yes, but it will take some time, as we should have a solid format
for the database records as well a solid way to configure it.
Once we added it we can't change it anymore without major pain.

I'll try to comment more detailed in the next days,
but today I already spent quite some time with the tdb locking problem.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170405/fa609f32/signature.sig>

More information about the samba-technical mailing list