[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
SSHA hashed passwords && retrieving the salt
Hello,
I want to understand how to retrieve the 'salt' which was used by the
LDAP server to hash a user's password with seeded sha1, i.e. SSHA;
when I do a ldapsearch from the UNIX cmd line I get the attribute as:
$ ldapsearch -h 10.45.xx.xx -p 389 -x -D ... 'cn=jrXXXXX'
...
dn: cn=jrXXXXX,ou=user,ou=....
userPassword:: e1NTSEF9TWd3ZmtxQ25HdTJYVXZtVzNzTm5yWjlwVjBUSmwvQ0Q=
...
the above string I can decode with:
$ echo -n 'e1NTSEF9TWd3ZmtxQ25HdTJYVXZtVzNzTm5yWjlwVjBUSmwvQ0Q=' | mmencode -u
{SSHA}MgwfkqCnGu2XUvmW3sNnrZ9pV0TJl/CD
but now I'm lost how to retrieve the 'salt' from it :-(
I have google'd around and see examples for this like in
http://www.pressinganswer.com/444023/how-can-i-retrieve-a-salt-from-ldap
<CITED ON>
With SSHA, normally the salt is appended to the SHA1 hash and then the
whole thing is Base64 encoded (I've never seen an LDAP that didn't do
SSHA this way). You should be
able to tell this by looking at the userPassword attribute. If it's 28
character long with a = at the end, it's only the hash.
If the Base64 value is 32 character long or greater, it contains both
the hash and the salt. Base64 decode the value and strip off the first
20 bytes, this is the SHA1 hash. The remaining bytes are the salt.
Example:
Base64 encoded hash with salt
userPassword: {SSHA}MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0
Base64 decoded value
SHA1 Hash Salt
--------------------++++
123456789012345678901234
<CITED OFF>
I can repeat the given example with:
$ echo -n 'MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0' | mmencode -u
123456789012345678901234
but when I run the original string through decode, I get only binary nonsense from:
echo -n 'MgwfkqCnGu2XUvmW3sNnrZ9pV0TJl/CD' | mmencode -u
2
§íRùÞÃgð
What I do wrong or what I'm missing here?
The used 'mmencode' is on FreeBSD 10-CURRENT from a pkg:
$ pkg_info -W /usr/local/bin/mmencode
/usr/local/bin/mmencode was installed by package metamail-2.7_9
if this does any matter.
Thanks
matthias
--
Matthias Apitz | /"\ ASCII Ribbon Campaign: www.asciiribbon.org
E-mail: guru@unixarea.de | \ / - No HTML/RTF in E-mail
WWW: http://www.unixarea.de/ | X - No proprietary attachments
phone: +49-170-4527211 | / \ - Respect for open standards