389-ds-base

Clone
Source Code
GIT

#49387 pbkdf2 time cap and limit may be too aggresive
Closed: wontfix 6 years ago Opened 6 years ago by firstyear.

Closed: wontfix
Reopen Issue

Issue Description

An admin noticed that their machine had a 70% cpu increase with pbkdf2 binds. This is likely related to the time cap being too large, and the minimal threshold being too high especially given the nss impl bug.

We should consider lowering the time amount and minimal cap to help ease people into this scheme. Today, even pbkdf2 at 1024 rounds is better than what we have today in ssha512.

Metadata Update from @firstyear:
- Issue assigned to firstyear
6 years ago

Do I dare suggest making it configurable? I do :-p just a suggestion, not a hard request.
Edited 6 years ago by mreynolds

Metadata Update from @mreynolds:
- Custom field component adjusted to None
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None
- Custom field type adjusted to None
- Custom field version adjusted to None
6 years ago

I knew someone would say it ;)

I still want to avoid configuration of this, I think we should be able to get it "right" because most people won't touch it - they'll set and forget, and they'll never make it better again,

I think the issue is we just need to be more conservative instead while the issue in NSS exists.

Metadata Update from @firstyear:
- Custom field reviewstatus adjusted to review (was: None)
6 years ago

It looks good, ack

Metadata Update from @mreynolds:
- Custom field reviewstatus adjusted to ack (was: review)
6 years ago

commit ee25b88
To ssh://git@pagure.io/389-ds-base.git
805e8f4..ee25b88 master -> master

Metadata Update from @firstyear:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
6 years ago

@firstyear - should this also go into 1.3.7?

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/2446

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: fixed)
3 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
None
ack
None
None
Attachments 1
0001-Ticket-49387-pbkdf2-settings-were-too-aggress...
Attached 6 years ago View Comment
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.