directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Frank Fischer (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (DIRSTUDIO-738) Modular Crypt Format Salts are incorrectly displayed
Date Fri, 08 Jan 2016 12:21:39 GMT

    [ https://issues.apache.org/jira/browse/DIRSTUDIO-738?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15089130#comment-15089130
] 

Frank Fischer edited comment on DIRSTUDIO-738 at 1/8/16 12:21 PM:
------------------------------------------------------------------

Old issue, but I encounter the same problem in all versions up to  2.0.0-M10

The modular crypt format embeds the hashing algorythm used, the salt and the hash. 

{code:title=man crypt 3|borderStyle=solid}
            ID     | Method
            ─────────────────────────────────────────────────────────
              1    | MD5
              2a   | Blowfish (not in mainline glibc; added in some Linux distributions)
              5    | SHA-256 (since glibc 2.7)
              6    | SHA-512 (since glibc 2.7)
{code}

{code:title=Example|borderStyle=solid}

$6$af1ae9db$VizZoRwsguLHJsl4cGT4/mJKrcXVemgIVoEGLhRjIH56bMgxcnNlzeL91B9c/jHVI0jZzDircJgYuYc/Jn49.1

        $6$ : SHA-512 is used
   af1ae9db : Salt
Viz...n49.1 : Hash(shortended for clarification) (cleartext: 'secret')
{code}

If you put now the value from the example into a userPassword field of openLDAP like this
{code}{CRYPT}$6$af1ae9db$VizZoRwsguLHJsl4cGT4/mJKrcXVemgIVoEGLhRjIH56bMgxcnNlzeL91B9c/jHVI0jZzDircJgYuYc/Jn49.1{code}
and openldap is running on a linux sytsem having glibc >= 2.7, the the authentication works,
but DirectoryStudio is not able to verifiy the password, nor to display the salt.

Judging from CODEC-133 and reading https://commons.apache.org/proper/commons-codec/apidocs/org/apache/commons/codec/digest/Crypt.html
parts of the needed functionality is already available in java.



was (Author: frankfischer):
Old issue, but I encounter the same problem in all versions up to  2.0.0-M10

The modular crypt format embeds the hashing algorythm used, the salt and the hash. 

{code:title=man crypt 3|borderStyle=solid}
            ID     | Method
            ─────────────────────────────────────────────────────────
              1    | MD5
              2a   | Blowfish (not in mainline glibc; added in some Linux distributions)
              5    | SHA-256 (since glibc 2.7)
              6    | SHA-512 (since glibc 2.7)
{code}

{code:title=Example|borderStyle=solid}

$6$af1ae9db$VizZoRwsguLHJsl4cGT4/mJKrcXVemgIVoEGLhRjIH56bMgxcnNlzeL91B9c/jHVI0jZzDircJgYuYc/Jn49.1

        $6$ : SHA-512 is used
   af1ae9db : Salt
Viz...n49.1 : Hash(shortended for clarification)
{code}

If you put now the value from the example into a userPassword field of openLDAP like this
{code}{CRYPT}$6$af1ae9db$VizZoRwsguLHJsl4cGT4/mJKrcXVemgIVoEGLhRjIH56bMgxcnNlzeL91B9c/jHVI0jZzDircJgYuYc/Jn49.1{code}
and openldap is running on a linux sytsem having glibc >= 2.7, the the authentication works,
but DirectoryStudio is not able to verifiy the password, nor to display the salt.

Judging from CODEC-133 and reading https://commons.apache.org/proper/commons-codec/apidocs/org/apache/commons/codec/digest/Crypt.html
parts of the needed functionality is already available in java.


> Modular Crypt Format Salts are incorrectly displayed
> ----------------------------------------------------
>
>                 Key: DIRSTUDIO-738
>                 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-738
>             Project: Directory Studio
>          Issue Type: Bug
>          Components: studio-ldapbrowser
>    Affects Versions: 1.5.3
>         Environment: Ubuntu 11.04, Eclipse Indigo
>            Reporter: Justin Dugger
>            Priority: Minor
>
> CRYPT passwords embed multiple values into a single field, in particular the algorithm
and the salt used. This method is known as Modular Crypt Format 
> http://www.tummy.com/journals/entries/jafo_20110117_054918
> When given a userPassword field described using this system, the "show password details"
display on the value editor gets the salt wrong and fails to verify.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message