SDS (TDS): Hide plaintext passwords
Many of our IBM Connections installations use SDS (Security Directory Server) aka. TDS (Tivoli Directory Server) as LDAP system.
When installing version 6.3 out of the box, a rather not so nice security problem (in my opinion) is built in:
Passwords of all users can be read in plaintext by the “cn=root” authority. So everyone who has the password for this user would be able to look at the actual saved passwords. Furthermore these passwords are stored in plaintext in the database, which does not make the system very secure.
PLEASE NOTE: Check if the login is still possible using the application (after you changed the password)!!! Furthermore the performance might be affected by changing this setting! If you experience problems, please consider using another (perhaps unsafe) one-way encryption mechanism.
You will not be able to view the current password using any Directory Browser! Furthermore you cannot change the password using the Directory Browser (at least when using Apache Directory Studio), as this does not support SSHA256 (which is used in this example)
If you bind to a TDS server using the cn=root authority, you are able to view all passwords of any user in the directory.
This is not desirable and should be changed.
Technical background why this happens
The standard password encryption in TDS is set to AES.
AES uses 2-way encryption technology, which appears to be pretty unsafe when using a Directory server.
2-way encryption: The login application encrypts the password, sends it to the directory server, that also encrypts the plaintext password and a comparison is made. The whole problem is that 2-way encryption stores the password as plaintext in the directory server, so that certain applications can access the password in plaintext (where this is needed).
1-way encryption: Other encryption technologies, such as SHA, SHA2 or the salted versions use one-way encryption. One-way encryption stores the password encrypted in the directory server – there is no way to decrypt the password (e.g. using a Directory Browser). The login application encrypts the entered password and a comparison is made between encrypted application / Directory password.
How to change this in TDS
- Stop the TDS server
- Edit the TDS config file (create a backup first) “/home/dsrdbm01/idsslapd-dsrdbm01/etc/ibmslapd.conf
- Here we change ibm-slapdPwEncryption from “aes256” to “ssha256”
- The new mechanism is “SSHA256” – Salted SHA2 mechanism with 256 bit keylength (this can be also 512)
- Start the TDS Server
… the result:
an SSHA256 encrypted password
Now you only need to check if your application for changing passwords plays nicely together with this change.
We use our own development – a self registration add-on for IBM Connections and WebSphere portal and can also change passwords. This works without any problem.