[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Antw: Re: Openldap support SHA-256 or SHA-3.

To: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>, michael@stroeder.com
Subject: Re: Antw: Re: Openldap support SHA-256 or SHA-3.
From: Quanah Gibson-Mount <quanah@symas.com>
Date: Mon, 13 Jan 2020 08:15:05 -0800
Cc: openldap-technical@openldap.org
Content-disposition: inline
Dkim-filter: OpenDKIM Filter v2.10.3 zmcc-2-mta-1.zmailcloud.com 42479CEDB8
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=symas.com; s=37C7994C-28CA-11EA-A30F-68F90BB9D764; t=1578932107; bh=Kb1U/HFcw6+jiDXPeLLsyKo187Wvsf73Wx+6q0ONvFw=; h=Date:From:To:Message-ID:MIME-Version; b=WQISP0yke/LbL8BnHC8j+VPK9fpuznJ4a6bJIXIRR/kE5JuqARBg6b5NbZsINH0XM qRqtPAKTwRb/Wyi2pJ3yKy9fp1kpq/q+O8A/sWfPxVkxIrZycjZuTgZIfPh1Siqo5C Av/XaO38a7FhyqUj4hm63eCKEkFdfUCblo36O/2WqiNFoOfVVg460k1TfQD8paMJYr rT+NE+HAFu5JXDdsxlng9rNc8JEIJ8CCTIc7aTxxzq3jOXe5tO/92OA5icx2mt9wmh jwy9uQqXssysAqBUYJ69Yn478XkKJjEjOOP+ersLmU9DGIQDr92uOr3IYAeIuFWwuf MRs2TdRjd/diw==
In-reply-to: <5E1C4FF9020000A1000363F4@gwsmtp.uni-regensburg.de>
References: <CALm_Vjh4vgOBu8kZrJzRheAyqbZVL0OoE-nRAvc1z+nb-Eow9Q@mail.gmail. com> <67753E9A5A2A2945F035E0CC@192.168.1.144> <CALm_Vji=Mok7kkZ96+EEAu_Osw0rVjBANBrdejKFs=fEr--3HQ@mail.gmail.com> <1C6038D9E08BE216B90B3FF4@[192.168.1.144]> <7209ad32-c522-bc3e-e863-a5ff72c18e8b@stroeder.com> <7180359711BF1270F919BD53@[192.168.1.144]> <930e4cf3-240f-155e-1cbc-c74f68b9ba3e@stroeder.com> <CA17B510ABD069A7884B759C@[192.168.1.144]> <5E1C4FF9020000A1000363F4@gwsmtp.uni-regensburg.de>

--On Monday, January 13, 2020 12:09 PM +0100 Ulrich Windl<Ulrich.Windl@rz.uni-regensburg.de> wrote:

Quanah Gibson-Mount <quanah@symas.com> schrieb am 08.01.2020 um 03:05
in

Nachricht <CA17B510ABD069A7884B759C@[192.168.1.144]>:


--On Tuesday, January 7, 2020 11:25 PM +0100 Michael Ströder
<michael@stroeder.com> wrote:

AFAICS RFC 3112 was never implemented in OpenLDAP. Thus I'd consider
this to be rather irrelevant here.


Incorrect, it's clearly implemented in slapd.  Whether it's enabled is a
different question, as it's IFDEF'd behind SLAPD_AUTHPASSWD. ;)

In any case, I've been advocating for several years now to get rid of
SSHA  as the default hashing mechanism and replace it with something
that may  actually have some security value.


Is a "well-salted" SHA-1 really worse than a "poorely-salted" SHA-256?
Isn't it all aboput the number of bits that have to be checked
(brute-force)?

As Howard already noted, what we're looking for is something like Argon2,not further SSHA derivatives.


--Quanah



--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Follow-Ups:
- Re: Antw: Re: Openldap support SHA-256 or SHA-3.
  - From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>

References:
- Re: Openldap support SHA-256 or SHA-3.
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Openldap support SHA-256 or SHA-3.
  - From: Michael Ströder <michael@stroeder.com>
- Re: Openldap support SHA-256 or SHA-3.
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Openldap support SHA-256 or SHA-3.
  - From: Michael Ströder <michael@stroeder.com>
- Re: Openldap support SHA-256 or SHA-3.
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Antw: Re: Openldap support SHA-256 or SHA-3.
  - From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>

Prev by Date: Re: Antw: Re: Openldap support SHA-256 or SHA-3.
Next by Date: Re: Replication account problem
Index(es):
- Chronological
- Thread