[Date Prev][Date Next] [Chronological] [Thread] [Top]

more questions regarding password hashes

To: openldap-software@openldap.org
Subject: more questions regarding password hashes
From: Brandon McCombs <bmccombs@ma.rr.com>
Date: Fri, 23 Feb 2007 01:18:35 -0500
User-agent: Thunderbird 1.5.0.9 (Windows/20061207)

I actually read the manpage this time on password-crypt-salt-format but still have some questions. It seems that only one salt format can be specified at a time but I'm wondering about the salt itself. A user can never specify what the salt string will be since the 2nd paragraph of that setting's description states the conversion will be substituted with a string of random characters, is that correct? And after reading the crypt(3) manpage it seems that the salt only applies to {CRYPT} passwords so that means it won't work (or be used) for SHA passwords (making them SSHA). Is that correct? I would guess it isn't correct based on the next paragraph.

The manpage states the default hash is SSHA (although I recently found out that on Debian with OpenLDAP 2.2.30 cleartext is the default) so I guess the salts do work with SHA to make SSHA passwords. If that is the case how does one have control over whether a salted or unsalted password is created if programmatically modifying a password by using the LDAP password extension or some other API? Is it a matter of either having salted or unsalted passwords (but not both at the same time) depending on whether the password-crypt-salt-format setting is configured?

One last question, if a salt is used with MD5 for example, is the password's hash prefixed with {SMD5} or is {MD5} still used?

All these hashes are confusing so I'm trying to get things clear in my head.

thanks

Follow-Ups:
- Re: more questions regarding password hashes
  - From: Howard Chu <hyc@symas.com>

Prev by Date: SV: Creating a virtual DIT?
Next by Date: Re: more questions regarding password hashes
Index(es):
- Chronological
- Thread