Firstyear
commented
4 months ago The rust versions of this aren't affected by this as they can have the values ramped up iirc.
Open vashirov opened 4 months ago
Firstyear
commented
4 months ago The rust versions of this aren't affected by this as they can have the values ramped up iirc.
tbordaz
commented
3 months ago The rust versions of this aren't affected by this as they can have the values ramped up iirc.
My understanding is that, regarding for example rounds number, we should make PBKDF2_ROUNDS configurable. Am I missing something ?
Firstyear
commented
3 months ago We should just be incrementing this value server side over time instead, rather than letting people configure it - not everything should be a config, we should just have good defaults.
tbordaz
commented
2 months ago I agree we should pick good defaults (like 10.000 iterations) but why preventing an administrator to tune it ? Regarding security the administrator is able to tune its sslversion/ciphers/client_auth... to improve the security of the server. Similarly the number of iterations contribute to make the attacks more difficult and administrator should be able to tune it. We can see that the recommended value increased in the past so 10.000 has no reason to be the final limit.
This is related to https://github.com/389ds/389-ds-base/issues/5356
One example is the password hashing round value that is currently hardcoded and can be seen as not secure anymore. Certain compliance requirements (like from BSI) require specific hashing round values greater than what we currently provide.
Cloned from https://issues.redhat.com/browse/RHEL-42485