[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: more questions regarding password hashes
Brandon McCombs wrote:
Howard Chu wrote:
Brandon McCombs wrote:
I actually read the manpage this time on password-crypt-salt-format
but still have some questions. It seems that only one salt format
can be
One last question, if a salt is used with MD5 for example, is the
password's hash prefixed with {SMD5} or is {MD5} still used?
All these hashes are confusing so I'm trying to get things clear in
my head.
No. No salt is used with MD5 or SHA. The salt that is used with SMD5
or SSHA is generated randomly. The password-crypt-salt-format only
applies to crypt, just as it's documented.
That doesn't seem to answer all my questions. I realize no salt is used
with MD5/SHA , otherwise they would be SMD5 and SSHA. And I realize the
salt used is generated randomly. The question is how does a person
choose to use a salt or not use a salt if they have no control over what
the salt is?
They don't.
What determines whether a salt is applied?
Whether the configured hash uses a salt or not.
If a salt is
specified on the conf file then it applies to everyone and no one can
choose *not* to use it, is that correct?
You don't specify a salt in the slapd.conf file. You *can* specify a *format*
for a salt *for the crypt mechanism* but that's all. If the crypt hash isn't
being used, then all of this is irrelevant.
If so then if they want to use
MD5 or SMD5, what do they need to do differently for each in order for
the password to be stored correctly?
Nothing.
If I'm calculating the hash for
them to store the hashed password using an API, then I need to know what
I need to do about the salt (so far it seems nothing) but I also need to
know whether it even makes sense to give them the option of making
salted or unsalted hashes or if the server is going to control all that
anyway.
The server controls all of that, you shouldn't be computing any hashes in
client side code. The PasswordModify exop takes a plaintext password as
input; all hashing is done on the server.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
Chief Architect, OpenLDAP http://www.openldap.org/project/