FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 10-25-2008, 08:18 AM
Chris Hiestand
 
Default How To Hash passwords with SHA-1 in pam?

This seems like such an obvious request, and I have spent an
inordinate amount of time searching for it, but I haven't found SHA-1
support for (Debian) PAM.


pam_unix supports SHA2 (SHA256, SHA512) but not SHA-1

pam_unix2 supports Blowfish, but not SHA-1

Is there an out of the box solution to authenticate SHA-1 passwords
via pam? And yes, I know SHA-1 is pretty much cryptographically
broken, but I would still like to find support for it.


Thanks,
Chris
 
Old 10-25-2008, 06:38 PM
Richard A Nelson
 
Default How To Hash passwords with SHA-1 in pam?

On Sat, 25 Oct 2008, Chris Hiestand wrote:

Is there an out of the box solution to authenticate SHA-1 passwords via pam?
And yes, I know SHA-1 is pretty much cryptographically broken, but I would
still like to find support for it.


Move the user data to LDAP:

Operations (RFC 3062). The <hash> must be one of {SSHA}, {SHA},
{SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. The default is {SSHA}.

{SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), the
latter with a seed.

{MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the latter
with a seed.

{CRYPT} uses the crypt(3).

{CLEARTEXT} indicates that the new password should be added to
userPassword as clear text.


--
Rick Nelson
C'mon! political protest! sheesh. Where's that anarchist spirit? ;-)
-- Decklin Foster


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 10-27-2008, 09:09 PM
Chris Hiestand
 
Default How To Hash passwords with SHA-1 in pam?

Richard,

Thanks for your reply, but actually I'd like to have passwords stored
in a flat file (shadow) while using an ldap server as the central
repository. This way ldap (or libnss-ldap) bugs, network issues, and
server downtime wouldn't effect client authentication or mail
delivery. Since SSHA-1 is the strongest hash openldap currently allows
out of the box, I was hoping dumping to a flatfile or two would be as
simple as configuring pam to allow it.


I'm considering using this module (http://confluence.atlassian.com/display/JIRAEXT/OpenLDAP+support+for+SHA-2+(SHA-256,+SHA-384,+SHA-512)+and+atlassian-sha1+passwords
) to store SHA2 password in openldap - and SHA2 is supported by
pam_unix.


-Chris

On Oct 25, 2008, at 11:38 AM, Richard A Nelson wrote:


On Sat, 25 Oct 2008, Chris Hiestand wrote:

Is there an out of the box solution to authenticate SHA-1 passwords
via pam? And yes, I know SHA-1 is pretty much cryptographically
broken, but I would still like to find support for it.


Move the user data to LDAP:

Operations (RFC 3062). The <hash> must be one of {SSHA},
{SHA},
{SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. The default is
{SSHA}.


{SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1),
the

latter with a seed.

{MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the
latter

with a seed.

{CRYPT} uses the crypt(3).

{CLEARTEXT} indicates that the new password should be
added to

userPassword as clear text.


--
Rick Nelson
C'mon! political protest! sheesh. Where's that anarchist spirit? ;-)
-- Decklin Foster
 

Thread Tools




All times are GMT. The time now is 10:42 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org