add-user utility FIPS comliance

Latest response

Does anyone know the algorithm/compliance inherent in the add-user utility when it adds a user/password to application-users.properties file?

For example:

./add-user joe password

In the *.properties file you see

joe=<long string of characters>

What is the process/algorithm in use to convert "password" to "<long string of characters>" and is that process/algorithm FIPS 140-2 compliant?

 

v/r

Ben

BW
Log in to join the conversation

Responses

David Powles's picture Red Hat 25369 points
26 July 2013 8:56 AM

Welcome, Ben! Hopefully we have some users here who are knowledgeable about achieving FIPS compliance. If you don't see a response shortly I'll see if I can track down a Red Hat expert for you.

rh Red Hat Pro 697 points
29 July 2013 8:23 AM

Hi,

The propery based security domain uses:

# By default the properties realm expects the entries to be in the format: -
# username=HEX( MD5( username ':' realm ':' password))
 

So not FIPS compliant, but we consider this to be fit for development security only.

For production you should really switch to for example the LDAP module. Other security mechanism can be used via standard JAAS.

 

Kind regards

Tom

 

BW Community Member 20 points
29 July 2013 12:54 PM

Tom,

Thanks for the timely response.

v/r

Ben

rh Red Hat Pro 697 points
29 July 2013 1:03 PM

Ben,

for completeness sake: the entries generated by the script "add-user.sh" are in fact FIPS compliant as we enforce the rules when entering a password. But you can bypass by editing the property file manually of course which I why I mentioned not to use this in production.

Kind regards
Tom

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.