Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-42485

[RFE] pbkdf2 hardcoded parameters should be turned into configuration options

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • rhel-10.0
    • None
    • 389-ds-base
    • None
    • 389-ds-base-3.0.6-1.el10
    • None
    • rhel-idm-ds
    • ssg_idm
    • 26
    • 0
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Enhancement
    • Hide
      .Now you can configure hashing iterations values in PBKDF2-* Password Storage Schemes plug-in entries

      Before this update, the number of hashing iterations was hardcoded (`10000`) for all PBKDF2-* entries of the Password Storage Schemes plug-in. With this update, the hashing iterations value is now configured by using the new `nsslapd-pwdpbkdf2numiterations` attribute that is `100000` by default.

      You can configure `nsslapd-pwdpbkdf2numiterations` by using the command line or the web console.

      For example, to set the value to `150000` and see the current value in different password storage schemes, run:

      [subs="+quotes"]
      ----
      # *dsconf __<instance_name>__ plugin pwstorage-scheme __pbkdf2-sha512__ set-num-iterations __150000__*
      # *dsconf __<instance_name>__ plugin pwstorage-scheme __pbkdf2-sha512__ get-num-iterations*
      ----

      In the web console, go to menu:[Database -> Password Policies -> Global Policy] to configure hashing iterations.

      Consider the following before changing the default value:

      * Old passwords have an old hashing iterations setting until the passwords are updated.
      * An increased number of iterations can impact BIND operation performance.
      Show
      .Now you can configure hashing iterations values in PBKDF2-* Password Storage Schemes plug-in entries Before this update, the number of hashing iterations was hardcoded (`10000`) for all PBKDF2-* entries of the Password Storage Schemes plug-in. With this update, the hashing iterations value is now configured by using the new `nsslapd-pwdpbkdf2numiterations` attribute that is `100000` by default. You can configure `nsslapd-pwdpbkdf2numiterations` by using the command line or the web console. For example, to set the value to `150000` and see the current value in different password storage schemes, run: [subs="+quotes"] ---- # *dsconf __<instance_name>__ plugin pwstorage-scheme __pbkdf2-sha512__ set-num-iterations __150000__* # *dsconf __<instance_name>__ plugin pwstorage-scheme __pbkdf2-sha512__ get-num-iterations* ---- In the web console, go to menu:[Database -> Password Policies -> Global Policy] to configure hashing iterations. Consider the following before changing the default value: * Old passwords have an old hashing iterations setting until the passwords are updated. * An increased number of iterations can impact BIND operation performance.
    • Done
    • None

      This is related to https://github.com/389ds/389-ds-base/issues/5356

      One example is the password hashing round value that is currently hardcoded and can be seen as not secure anymore. Certain compliance requirements (like from BSI)  require specific hashing round values greater than what we currently provide.

       

              spichugi@redhat.com Simon Pichugin
              rhn-support-tscherf Thorsten Scherf
              IdM DS QE
              Barbora Simonova Barbora Simonova
              Evgenia Martyniuk Evgenia Martyniuk
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: