Re: SHA-2 support (was: Permissions, users, startup when install from source)

["Pierangelo Masarati" <masarati@aero.polimi.it>]

> --On Wednesday, January 16, 2013 7:39 AM +0100 Michael Ströder
> <michael@stroeder.com> wrote:
>
>> Quanah Gibson-Mount wrote:
>>> --On Tuesday, January 15, 2013 2:35 PM -0800 Ori Bani
>>> <oribani@gmail.com> wrote:
>>>> Why hasn't the sha2 module been migrated out of the
>>>> contrib directory
>>>
>>> The "core" of OpenLDAP tries to be as RFC compliant as possible.  There
>>> is no RFC that I'm aware of that adds SHA2 support.
>>
>> Sorry, this is an artificial argument which is simply not valid!
>>
>> Can you tell me which RFC specifies how to handle LANMAN hashes
>> (--enable-lmpasswd)? There are plenty similar examples...
>
> OpenLDAP, like many software projects that have existed for numerous
> years,
> has grown in its development practices.  Just because something was done
> incorrectly in the past is not a reason to continue doing so.  Feel free
> to
> port lanman hashes to a contrib module.

I'm not an expert in security, so this is just my 2c.  In general, as far
as I recall, we tend to be pragmatic when appropriate.  So asking a fancy
useless feature to become mainstream because other fancy useless features
made it long ago is pointless.  But when it comes to security, I think it
may be wise to break the rule every now and then.

I leave judgement to security experts, but in case I'd favour moving SHA-2
support to mainstream (or whatever other means makes it easier for
packagers to include it without requiring users to compile it separately).

As I said, my 2c.

p.

-- 
Pierangelo Masarati
Associate Professor
Dipartimento di Ingegneria Aerospaziale
Politecnico di Milano