https://bugs.openldap.org/show_bug.cgi?id=9827
Issue ID: 9827 Summary: Feature request for module argon2.so to support Argon2i, Argon2d, Argon2id Product: OpenLDAP Version: 2.6.1 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: juergen.sprenger@swisscom.com Target Milestone: ---
Hi,
This is a feature request.
I would like to be able to chooses between Argon2i, Argon2d and Argon2id in slappasswd like in argon2 command:
# argon2 Usage: argon2 [-h] salt [-i|-d|-id] [-t iterations] [-m log2(memory in KiB) | -k memory in KiB] [-p parallelism] [-l hash length] [-e|-r] [-v (10|13)] Password is read from stdin Parameters: salt The salt to use, at least 8 characters -i Use Argon2i (this is the default) -d Use Argon2d instead of Argon2i -id Use Argon2id instead of Argon2i -t N Sets the number of iterations to N (default = 3) -m N Sets the memory usage of 2^N KiB (default 12) -k N Sets the memory usage of N KiB (default 4096) -p N Sets parallelism to N threads (default 1) -l N Sets hash output length to N bytes (default 32) -e Output only encoded hash -r Output only the raw bytes of the hash -v (10|13) Argon2 version (defaults to the most recent version, currently 13) -h Print argon2 usage
Example:
/usr/local/etc/openldap # /usr/sbin/slappasswd -h "{ARGON2}" -o module-load="argon2.so i" -s secret /usr/local/etc/openldap # /usr/sbin/slappasswd -h "{ARGON2}" -o module-load="argon2.so d" -s secret /usr/local/etc/openldap # /usr/sbin/slappasswd -h "{ARGON2}" -o module-load="argon2.so id" -s secret
Best regards
Juergen Sprenger
https://bugs.openldap.org/show_bug.cgi?id=9827
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.7.0 Keywords|needs_review |
https://bugs.openldap.org/show_bug.cgi?id=9827
--- Comment #1 from Young Kuo tw01472760@gmail.com --- Hi Juergen, we also have same requirement as like this ticket. As I knew, openldap already support verify by both argon2d, argon2i and argon2id. But only support password hashing with argon2i. Is this ticket still working?
https://bugs.openldap.org/show_bug.cgi?id=9827
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |TEST
--- Comment #2 from Quanah Gibson-Mount quanah@openldap.org --- Commits: • 61e48321 by François Kooman at 2023-08-11T20:58:56+00:00 ITS#9827 update Argon2 defaults
- switch to argon2id by default (from argon2i) - use OWASP recommended parameters as defaults
This only affects builds that use libargon2, e.g. Debian, and not builds that use libsodium as argon2id is already the default there, and better parameters are used
References: https://bugs.openldap.org/show_bug.cgi?id=9827 Signed-off-by: François Kooman fkooman@tuxed.net
https://bugs.openldap.org/show_bug.cgi?id=9827
--- Comment #3 from Quanah Gibson-Mount quanah@openldap.org --- This should probably be backported to OpenLDAP 2.6 at this point. It is backwards compatible with existing hashes, and at the moment, there is no released version of OpenLDAP that has any option to meet what's outlined in https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet....
https://bugs.openldap.org/show_bug.cgi?id=9827
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.7.0 |2.5.19
https://bugs.openldap.org/show_bug.cgi?id=9827
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|TEST |FIXED
--- Comment #4 from Quanah Gibson-Mount quanah@openldap.org --- RE26:
• d13a07bf by François Kooman at 2024-06-28T16:48:57+00:00 ITS#9827 update Argon2 defaults
• 3516e19b by Quanah Gibson-Mount at 2024-06-28T16:49:04+00:00 ITS#9827 - Use 7MB memory/5 iterations as default
RE25:
• 08a78a02 by François Kooman at 2024-06-28T16:52:53+00:00 ITS#9827 update Argon2 defaults
• 412d897c by Quanah Gibson-Mount at 2024-06-28T16:53:05+00:00 ITS#9827 - Use 7MB memory/5 iterations as default
https://bugs.openldap.org/show_bug.cgi?id=9827
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED