CentOS OpenLDAP pwdReset Attribute

Marek Zarychta zarychtam at plan-b.pwste.edu.pl
Tue Oct 26 19:42:22 CEST 2021


W dniu 26.10.2021 o 19:09, Alan DeKok pisze:
> On Oct 26, 2021, at 12:51 PM, Marek Zarychta <zarychtam at plan-b.pwste.edu.pl> wrote:adius-chap/
>>
>>
>> For better GDPR compliance and security I'd like to recommend using
>> NT-Password for authentication (sambaNTPassword in LDAP).
> 
>   All 8-character NT hashes can be cracked fairly quickly:
> 
> https://www.theregister.com/2019/02/14/password_length/
> 

Indeed, it can be easily cracked, but NT-Password is stored as
32-character long MD4 hash and at least needs some effort to be cracked.

I never recommended using eight-character Windows NTLM passwords and
wonder if they will work for MSCHAP auth.

>> These
>> passwords stored as NThashes are fully compliant with MSCHAP
>> authentication, but you have to store them in LDAP (or even database),
>> so you have to store and chage both: SHA hashed userPassword and NT
>> hashed sambaNTPassword for each user. The drawback is that such a
>> solution requires 3rd party password updating tool for LDAP.
> 
>   My choice would be (in order)
> 
> * use whatever is mandated by your DB, because you don't have a choice
>   e.g. NT hashes for Active Directory
> 
> * some crypt'd / salted format.  Whatever it is doesn't matter, so long as it's relatively recent
> 
> * clear-text passwords
> 
>   If you're not using AD, then NT hashes are *slightly* better than clear-text passwords.  But any additional security is little more than an illusion.  If someone gets access to the password DB, then NT hashes are entirely equivalent to clear-text passwords.  Anyone with $ to spare can crack the passwords pretty quickly.
> 
>   Alan DeKok.
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


-- 
Marek Zarychta

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20211026/4c836cbd/attachment.sig>


More information about the Freeradius-Users mailing list