[Info-vax] Enhanced Password Management

Stephen Hoffman seaohveh at hoffmanlabs.invalid
Thu Mar 21 10:50:25 EDT 2019 

On 2019-03-21 14:18:28 +0000, dgordonatvsi at gmail.com said:

> On Wednesday, March 20, 2019 at 5:48:32 PM UTC-4, Simon Clubley wrote:
> 
>> 
>> I wonder if this one removes the ability to set a new password without 
>> knowing the old password or whether suitably privileged users can 
>> override this.
>> 
> 
> AUTHORIZE has never called the password policy hooks and still doesn't.

Nor does $setuai, as that's called with a fixed-size eight-byte hash 
buffer.  Apps using that won't be compatible with a longer password 
hash as that support arrives, use of the approach from that 
problematic-for-two-reasons SHA-1 password module aside.  (SHA-1 is far 
too fast and far too efficient for use as a password hash, and folding 
SHA-1 to fit into eight byte buffers greatly reduces the value of the 
hash.)

Don't know what happens with LDAP external authentication in this 
context; whether that password then goes unsynchronized, or whether 
something skulks the Purdy hash and distributes it to the replicants.  
Given what I've seen of the implementation, I'd assume the former; 
things go unsynchronized.  (There's also an LDAP password filter in 
place in various organizations.  That should weaken the password per 
local requirements, though the AUTHORIZE and $setuai paths very likely 
don't tie into that LDAP check.  The $setuai path really can't.)

BTW: Use of $getuai and $setuai is how you preserve a user's password, 
if you need to mimic that user's login for some reason.  Copy off the 
hash with $getuai, replace the hash with a hash for a password you know 
using the same algorithm and salt as the original password, and do what 
you need.  Then $setuai again, with the original password hash.  This 
if JTR can't find a match for the user's hash.  There are other ways to 
mimic a user, but this will provide the entire login context.  This 
absent multi-factor authentication, which would require redirecting or 
disabling that, too.


-- 
Pure Personal Opinion | HoffmanLabs LLC

More information about the Info-vax mailing list