directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kiran Ayyagari (JIRA)" <>
Subject [jira] [Closed] (DIRSERVER-1822) Same password can be used multiple times, when SSHA is used for password hash.
Date Thu, 11 Apr 2013 05:07:15 GMT


Kiran Ayyagari closed DIRSERVER-1822.

    Resolution: Won't Fix
      Assignee: Kiran Ayyagari

This is expected, cause the client is sending  a hashed password, there is no way to verify
the history based on a hashed password, to avail this feature user should always send the
password in plain text.
To forbid users from modifying password with a hashed value set the value of ads-pwdcheckquality
attribute to 2.
> Same password can be used multiple times, when SSHA is used for password hash.
> ------------------------------------------------------------------------------
>                 Key: DIRSERVER-1822
>                 URL:
>             Project: Directory ApacheDS
>          Issue Type: Bug
>            Reporter: Peter Hmelak
>            Assignee: Kiran Ayyagari
> When using SSHA (salted SHA) for password hashing, no CONSTRAINT_VIOLATION (invalid reuse
of password present in password history) is thrown, if new password is the same as one already
in pwdHistory.
> I believe current implementation just compares new password hash, with with ones stored
in pwdHistory.
> And because of new salt, no two hashes are ever a-like, even though passwords are the
> Suggestion for fix:
> *Every* salt stored in pwdHistory should be used, together with new password when creating
password hashes, that are then compared with ones already stored in pwdHistory.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message