directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <elecha...@gmail.com>
Subject Re: [ApacheDS] Hash question
Date Fri, 08 Oct 2010 15:41:17 GMT
  On 10/8/10 3:43 PM, Jason Russler wrote:
>
>>>
>>> So if you currently have
>>> $1$PzZV2WYK$Asd3JtTFOwR3JnNTPjxDq/
>>> in /etc/shadow, you can try
>>> {MD5}PzZV2WYK$Asd3JtTFOwR3JnNTPjxDq/
>>
>> As your example hash is salted, it should be:
>> {SMD5}PzZV2WYK$Asd3JtTFOwR3JnNTPjxDq/
>
> This isn't going to work.  I think Apache DS uses a different sized 
> salt for SMD5 than a typical shadow file - either that or a larger 
> resultant hash value.  Ah, well, I suppose I can use the "migrate" 
> feature of the pam_ldap module.  Too bad, Apache DS appears to be a 
> lot easier to deal with (in every other respect) than the other LDAP 
> systems I've dealt with.  I've very new to it....
>
FYI, we are using the Java MessageDiggest class to encode the password 
in Studio, and we assume in the server that the salt is 8 bytes long :

...
         int algoLength = encryptionMethod.algorithm.getName().length() + 2;
...
             case HASH_METHOD_SMD5:
                 try
                 {
                     // The password is associated with a salt. Decompose it
                     // in two parts, after having decoded the password.
                     // The salt will be stored into the 
EncryptionMethod structure
                     // The salt is at the end of the credentials, and 
is 8 bytes long
                     byte[] passwordAndSalt = Base64.decode( new String( 
credentials, algoLength, credentials.length
                         - algoLength, "UTF-8" ).toCharArray() );

                     int saltLength = passwordAndSalt.length - MD5_LENGTH;
                     encryptionMethod.salt = new byte[saltLength];
                     byte[] password = new byte[MD5_LENGTH];
                     split( passwordAndSalt, 0, password, 
encryptionMethod.salt );

                     return password;
                 }

Here, algoLength is the length for the string "{SMD5}" or whatever 
algorithm you used.

However, you should *not* use MD5 as it's considered broken...

-- 
Regards,
Cordialement,
Emmanuel L├ęcharny
www.iktek.com


Mime
View raw message