OpenVPN 2.10.1 PBKDF2 details
Posted: Wed Jan 12, 2022 1:32 pm
Release note for OpenVPN 2.10.1 include:
There is three parameters to PBKDF2 which impact the degree it improves security:
(1) Length of the salt
(2) Hash function used
(3) Number of rounds / iterations of hashing
I have seen some PBKDF2 implementations that default to SHA1 and 1,000 rounds (which is kind of disappointing). Is there any details on the three parameters that OpenVPN AS uses. Also, is there any method to use sacli to change either of the three?
Also, will it automatically change unsalted SHA256 hashes to PBKDF2 on the next successful login or only on the next password change?
On a slightly unrelated note, can OpenVPN AS please add a method to set the PAM Service Name that is used? Or at least specify what service name is used?
Thanks
This is clearly an improvement but still vague as to how much.Updated hashing method for new local user passwords from unsalted SHA256 to salted PBKDF2.
There is three parameters to PBKDF2 which impact the degree it improves security:
(1) Length of the salt
(2) Hash function used
(3) Number of rounds / iterations of hashing
I have seen some PBKDF2 implementations that default to SHA1 and 1,000 rounds (which is kind of disappointing). Is there any details on the three parameters that OpenVPN AS uses. Also, is there any method to use sacli to change either of the three?
Also, will it automatically change unsalted SHA256 hashes to PBKDF2 on the next successful login or only on the next password change?
On a slightly unrelated note, can OpenVPN AS please add a method to set the PAM Service Name that is used? Or at least specify what service name is used?
Thanks