Conduct security audit of the password obfuscation code

[sssd-bot]

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/752

• Created at 2010-12-23 00:49:34 by dpal
• Closed as Fixed
• Assigned to jhrozek

---

Review the password obfuscation code with NSS team and make sure that best practices are followed.

Comments

---

Comment from sbose at 2011-01-05 11:48:12

I think this should be done better sooner than later to avoid more issues with OpenLDAP using NSS. See https://fedorahosted.org/sssd/ticket/762

---

Comment from jhrozek at 2011-01-11 14:16:04

During a security audit conducted by a senior NSS developer these enhancements were proposed:
- use PK11_KeyGen() instead of PK11_GenerateRandom() and then use PK11_ExtractKeyValue() followed by PK11_GetKeyData() to get the key data.
- include a warning about password obfuscation not increasing security directly in the source file so that people who would like to use the code see it. The current version only includes a warning in the sssd-ldap manual page only.

owner: somebody => jhrozek

---

Comment from sgallagh at 2011-01-11 15:24:13

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.5.1

---

Comment from sgallagh at 2011-01-20 18:26:03

Fixed by fd72f76

resolution: => fixed
status: new => closed
upgrade: => 0

---

Comment from dpal at 2012-01-19 03:02:53

Fields changed

rhbz: => 0

---

Comment from dpal at 2017-02-24 14:35:46

Metadata Update from @dpal:

• Issue assigned to jhrozek
• Issue set to the milestone: SSSD 1.5.1