[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: {CRYPT} password to {SHA}
Buchan Milne writes:
>On Wednesday 04 June 2008 20:02:55 Jeroen van Aart wrote:
>> Currently we use {CRYPT} passwords. I would like to know if there is a
>> way to use {SHA} passwords.
>
> Yes. See for example the slappasswd man page.
Though why use SHA instead of the default SSHA (salted SHA)?
Even CRYPT passwords have a salt.
>> Could existing passwords be in some way
>> converted to {SHA}?
>
> Except by brute-forcing, no.
You could write an overlay to intercept Simple Bind operations:
If the current userPassword is a {CRYPT} and the user-provided
password matches it, SHA-hash the user-provided password and
replace the stored CRYPT with the new SHA. Though this does make
it a bit dubious to claim that the new SHA hash has the strength
of SHA rather than the strength it inherited from CRYPT...
> (...) The best option here is to change the default password hashing
> method (see the 'password-hash' directive for slapd.conf), and force
> password changes (if done via an LDAP password change extended
> operation, slapd will take care of hashing the password correctly).
And there ought to be a password expiry policy in place so users
will need to change old passwords anyway. If LDAP is your
authorative store for passwords, see man slapo-ppolicy.
--
Hallvard