[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Encryption or hash for password?

To: openldap-technical@openldap.org
Subject: Re: Encryption or hash for password?
From: harry.jede@arcor.de
Date: Fri, 15 Mar 2013 19:52:22 +0100
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=arcor.de; s=mail-in; t=1363373543; bh=Y/9Y4CwCjbnYE3jS7fXu2TKplmhRDD7bH/WQHLJlhac=; h=From:To:Subject:Date:References:In-Reply-To:MIME-Version: Content-Type:Message-Id; b=KbQm+id1tXznNJ8kRdLmJkZmx+cx+e1iBeahTIstr/T5B74SYqmUc5+EEerV44msD Pfd/gnpZNOkvW7QT0Ft3jwROeZGla3DgRq1N/89jC2h6SD3eRjxhSaYso+84cQVvyB L3n7jY3Xze2CaZSIG8zY8HFmE3T3DDjwAy929lMM=
In-reply-to: <CAATm_0oYuBgTLbahFCZo4P9_nfXj7euqD02gVLVtxsrbsmocQg@mail.gmail.com>
References: <CAATm_0oYuBgTLbahFCZo4P9_nfXj7euqD02gVLVtxsrbsmocQg@mail.gmail.com>
User-agent: KMail/1.13.5 (Linux/2.6.32-5-amd64; KDE/4.4.5; x86_64; ; )

Gerhardus Geldenhuis wrote:
> Hi
> I am using the default Ubuntu 12.10 openldap installation and have
> inherited an existing ldap setup. When I do a slapcat -n 1
> 
> It shows userPassword entries as follows:
> 
> userPassword::
> e2NyeFB0fSQxJEkwKGc3bGJjJFpwL3JndlpCZDBlSPZuZGdoMFczTC8=
Attributes which ends in a double colon are base64 encoded

> ( password string has been edited... )
> 
> I am not sure how this is encoded... is there a way to find out?
$ echo -n e1NTSEF9RndkTDkxVitzclFOTVJzR003dHNQMFptWGhySU1KVSs= |base64 -d 
{SSHA}FwdL91V+srQNMRsGM7tsP0ZmXhrIMJU+


I have written a small script "slappasswd-schemes" to show you
all password schemes and how to generate and use them.
Just give a password as param 1. Here the output:


$ ./slappasswd-schemes secret

All passwords are generated twice. If both are equal, 
the scheme does NOT use a salt.

In ldif syntax use either:

userPassword: {SSHA}2kleHu61nroaBkjRbw5/mT3JDQr/CLKz
or the base64 encoded version
userPassword:: e1NTSEF9RndkTDkxVitzclFOTVJzR003dHNQMFptWGhySU1KVSs=

for a SSHA password. 

And now, all password hashes for the secret: secret

scheme: {CLEARTEXT}
secret
secret
c2VjcmV0

scheme: {MD5}
{MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==
{MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==
e01ENX1YcjRpbE96UTRQQ09xM2FRMHFidWFRPT0=
scheme: {SMD5}
{SMD5}AkT8L79k1jKIcXvzQk18X1rXVE0=
{SMD5}KUAebeV3hV5w5i05vkH18wTwywM=
e1NNRDV9SURyaDNoUUN2aVhxQ1V5VVRwOVh1NEcrbUlrPQ==

scheme: {SHA}
{SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
{SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
e1NIQX01ZW42RzZNZXpScm9UM1hLcWtkUE9tWS9CZlE9

scheme: {SSHA}
{SSHA}x10c3ncQnuohi5EzyMHu0pnMJ/Z/mdni
{SSHA}9KFIC520ErEtljnQJgazgkHHQy0c1ZxV
e1NTSEF9YjZwZVdkNjNoNWJ3SE1PYkJ2b3JVNmUwSFR4OWI2NFQ=

scheme: {CRYPT}
{CRYPT}vqn1iuQszHYmM
{CRYPT}Hz1hVbBFKmjnc
e0NSWVBUfVhBdFIwajh1RnNnY3M=

scheme: {CRYPT} (MD5 based)
{CRYPT}$1$fo2VmL12$.ElUOfaInJuVNWBrjXKpl/
{CRYPT}$1$ElnV9mg.$4kB2A38bsPdS.YdHONltV0
e0NSWVBUfSQxJEFNTzAyL3hDJHpnTlNWdXBhOHhGRklnLmVOY2dlUDA=

### The script
#!/bin/bash
cat <<end
All passwords are generated twice. If both are equal, 
the scheme does NOT use a salt.

In ldif syntax use either:

userPassword: {SSHA}2kleHu61nroaBkjRbw5/mT3JDQr/CLKz
or the base64 encoded version
userPassword:: e1NTSEF9RndkTDkxVitzclFOTVJzR003dHNQMFptWGhySU1KVSs=

for a SSHA password. 

And now, all password hashes for the secret: $1

end

export schemes="CLEARTEXT MD5 SMD5 SHA SSHA CRYPT"

for sch in $schemes ; do
        echo 'scheme: {'$sch'}'
        echo -n $(/usr/sbin/slappasswd -h '{'$sch'}' -s $1)  &&echo
        echo -n $(/usr/sbin/slappasswd -h '{'$sch'}' -s $1)  &&echo
        echo -n $(/usr/sbin/slappasswd -h '{'$sch'}' -s $1)|base64  &&echo
        
done

echo 'scheme: {CRYPT} (MD5 based)'
echo -n $(/usr/sbin/slappasswd -c '$1$%.8s' -s $1)  &&echo
echo -n $(/usr/sbin/slappasswd -c '$1$%.8s' -s $1)  &&echo
echo -n $(/usr/sbin/slappasswd -c '$1$%.8s' -s $1)|base64  &&echo
 

-- 

Harry Jede

Attachment: slappasswd-schemes
Description: application/shellscript

References:
- Encryption or hash for password?
  - From: Gerhardus Geldenhuis <gerhardus.geldenhuis@gmail.com>

Prev by Date: ldap.conf clarification
Next by Date: Re: Multiple uid's?
Index(es):
- Chronological
- Thread