re-hash passwords into stronger hashes on login

majewsky / portunus

Self-contained user/group management and authentication service

GNU General Public License v3.0

75 stars 5 forks source link

re-hash passwords into stronger hashes on login #2

Closed majewsky closed 9 months ago

majewsky commented 1 year ago

If I recall correctly, vanilla slapd can do better than Salted SHA by this point, so Portunus should prefer one of the better hashes that slapd supports, and upgrade existing user accounts to use this hash on successful login.

majewsky commented 1 year ago

Given that we use the {CRYPT} scheme for the userPassword attribute, we are limited to what libcrypt supports. Current libxcrypt implementations seem to prefer multi-round-SHA512 (scheme $6$ ), so our current choice of multi-round-SHA256 (scheme $5$ ) appears to be fine still.

SuperSandro2000 commented 1 year ago

@majewsky can you re-open that issue so that I can link to it from nixpkgs? see https://github.com/NixOS/nixpkgs/pull/231502#discussion_r1196638531

majewsky commented 1 year ago

Reopened as per Sandro's request. If openldap now widely supports a non-trash hash, we should switch to it. PRs are appreciated.