How to change password storage method?

I must be missing something here but I tried following the
instructions
here
http://www.csse.uwa.edu.au/~ashley/fedora-ds
/fedora-ds-26072006.html
but to no avail. 

I want the passwords for all Users in People to be stored in
md5.
Everything I have done (like selecting a user and
"Managing passwords"
leaves them in SSHA which is presumably some default.

My real problem is that clients are broadcasting passwords
in the clear
(despite pam being told to use md5 with ldap). I am assuming
that is
because the ldap server is using SSHA and pam is using md5
so they
negotiate to send passwords in the clear. Does that sound
right?

Thanks 
Andy

--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users

On Thu, 29 Mar 2007 16:09:00 +0100
Andy Schofield <ajsth.ph.bham.ac.uk> wrote:
 
> 
> I want the passwords for all Users in People to be
stored in md5.
> Everything I have done (like selecting a user and
"Managing passwords"
> leaves them in SSHA which is presumably some default.

Sorry - found it in the manual

http://www.redhat.com/docs/manuals/dir
-server/ag/7.1/password.html#1074672

> 
> My real problem is that clients are broadcasting
passwords in the
> clear (despite pam being told to use md5 with ldap). I
am assuming
> that is because the ldap server is using SSHA and pam
is using md5 so
> they negotiate to send passwords in the clear. Does
that sound right?

However - it has not solved this problem. The password is
still being
sent in the clear. I have /etc/ldap.conf including the
line:

pam_password md5

I was hoping that it ensure only hashed passwords would be
sent to the
FDS server. Any other ideas how to fix this?

Andy

> 
> Thanks 
> Andy
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-usersredhat.com
> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users

--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users

On Thu, 29 Mar 2007, Andy Schofield wrote:

> I want the passwords for all Users in People to be
stored in md5.
> Everything I have done (like selecting a user and
"Managing passwords"
> leaves them in SSHA which is presumably some default.

You can change the default password storage scheme by
modifying cn=config 
passwordStorageScheme attribute. It should be in 
slapd-HOST/config/dse.ldif (look for "dn:
cn=config"), if not then you can 
add the attribute.

You can also change it in the Console:
http://www.redhat.com/docs/manuals/dir
-server/ag/7.1/password.html#1086306

I don't think it affects passwords already stored, only new
entries.

Hope this helps.

Ville

--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users

Andy Schofield wrote:
>> My real problem is that clients are broadcasting
passwords in the
>> clear (despite pam being told to use md5 with
ldap). I am assuming
>> that is because the ldap server is using SSHA and
pam is using md5 so
>> they negotiate to send passwords in the clear. Does
that sound right?
>>     
>
> However - it has not solved this problem. The password
is still being
> sent in the clear. I have /etc/ldap.conf including the
line:
>   
What you need is not a hashed password sent over the wire
(which 
achieves very little) but an encrypted transport using SSL,
or SASL and 
kerberos.

-- 
Pete


--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users

>
> However - it has not solved this problem. The password
is still being
> sent in the clear. I have /etc/ldap.conf including the
line:
>
> pam_password md5

pam_password controls how new passwords are hashed locally
before 
updating an account's password attribute, i.e. when someone
changes 
their password.

If you want the hash setting on the server to always be
honored, use 
"pam_password clear".

Comments from PADL's ldap.conf:

# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear



Pete Rowley wrote:
> Andy Schofield wrote:
>>> My real problem is that clients are
broadcasting passwords in the
>>> clear (despite pam being told to use md5 with
ldap). I am assuming
>>> that is because the ldap server is using SSHA
and pam is using md5 so
>>> they negotiate to send passwords in the clear.
Does that sound right?
>>>     
>>
>> However - it has not solved this problem. The
password is still being
>> sent in the clear. I have /etc/ldap.conf including
the line:
>>   
> What you need is not a hashed password sent over the
wire (which 
> achieves very little) but an encrypted transport using
SSL, or SASL 
> and kerberos.
>
>
------------------------------------------------------------
------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-usersredhat.com
> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>   



--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users

On Thu, 29 Mar 2007 10:38:05 -0700
Pete Rowley <prowleyredhat.com> wrote:

> > However - it has not solved this problem. The
password is still
> > being sent in the clear. I have /etc/ldap.conf
including the line:
> >   
> What you need is not a hashed password sent over the
wire (which 
> achieves very little) but an encrypted transport using
SSL, or SASL
> and kerberos.

Yes - I agree and I am working on getting SSL going.

However, a hashed password is better than nothing surely.
Even NIS
didn't sent passwords in the clear. 

But I see that the /etc/ldap.conf line I have been playing
with only
affects password updates and probably there is nothing I can
do to
prevent clear passwords apart from SSL. (Just as George
points out)

Thanks
Andy

> 
> -- 
> Pete
> 

--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users