** Changed in: openldap (Ubuntu Plucky)
Status: Confirmed => In Progress
** Changed in: openldap (Ubuntu Noble)
Status: Confirmed => In Progress
** Changed in: openldap (Ubuntu Jammy)
Status: Confirmed => In Progress
** Changed in: openldap (Ubuntu Jammy)
Status: In Progress => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2125685
Title:
pbkdf2 module not make iterations configurable and FIPS 140-3
Status in openldap package in Ubuntu:
In Progress
Status in openldap source package in Jammy:
Won't Fix
Status in openldap source package in Noble:
In Progress
Status in openldap source package in Plucky:
In Progress
Status in openldap source package in Questing:
In Progress
Bug description:
[ Impact ]
Add configurable rounds for pw-pbkdf2.so module
Without the ability to configure the iteration count, it is not
possible to meet current security best practices or achieve compliance
with FIPS 140-3, which requires configurable and sufficiently high
iteration counts for PBKDF2.
[ Test Plan ]
* install slapd and slapd-contrib
* only supports hardcoded 10000 rounds:
slappasswd -o module-load=pw-pbkdf2.so -h {PBKDF2-SHA512}
* after update, any round number can be configured:
slappasswd -o module-load="pw-pbkdf2.so 1337" -h {PBKDF2-SHA512}
[ Where problems could occur ]
* pbkdf2 password validation/hashing could get a regression
* Due to the configurable number amount, old passwords could become invalid
due do different round counts
[ Other Info ]
* Anything else you think is useful to include
* Make sure to explain any deviation from the norm, to save the SRU
reviewer from having to infer your reasoning, possibly incorrectly.
This should also help reduce review iterations, particularly when the
reason for the deviation is not obvious.
* Anticipate questions from users, SRU, +1 maintenance, security teams
and the Technical Board and address these questions in advance
[ Original Report ]
On Ubuntu 24.04, the OpenLDAP package ships with the library
/usr/lib/ldap/pw-pbkdf2.so.
While this module works for generating PBKDF2-SHA512 password hashes, it does
not provide an option to configure the number of iterations.
For example:
slappasswd -o module-load=pw-pbkdf2.so -h {PBKDF2-SHA512}
generates a hash with a fixed iteration count (e.g. 10000) and does
not accept parameters to increase it.
In contrast, the upstream contrib module passwd/pbkdf2 on
https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-
modules/passwd/pbkdf2
supports the iteration count option and allows administrators to
configure it.
moduleload pw-pbkdf2.so [iterations]
Steps to reproduce:
Install OpenLDAP on Ubuntu 24.04. (slapd and slapd-contrib pakages)
Run
slappasswd -o module-load=pw-pbkdf2.la -h {PBKDF2} -s secret
{PBKDF2}10000$ZvU8GRSybbefW48n8BeyuA$XE1t4W09ZP0z8zmLVb/SbwaOl2Y
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2125685/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
