How To Hash passwords with SHA-1 in pam?
Richard,
Thanks for your reply, but actually I'd like to have passwords stored
in a flat file (shadow) while using an ldap server as the central
repository. This way ldap (or libnss-ldap) bugs, network issues, and
server downtime wouldn't effect client authentication or mail
delivery. Since SSHA-1 is the strongest hash openldap currently allows
out of the box, I was hoping dumping to a flatfile or two would be as
simple as configuring pam to allow it.
I'm considering using this module (http://confluence.atlassian.com/display/JIRAEXT/OpenLDAP+support+for+SHA-2+(SHA-256,+SHA-384,+SHA-512)+and+atlassian-sha1+passwords
) to store SHA2 password in openldap - and SHA2 is supported by
pam_unix.
-Chris
On Oct 25, 2008, at 11:38 AM, Richard A Nelson wrote:
On Sat, 25 Oct 2008, Chris Hiestand wrote:
Is there an out of the box solution to authenticate SHA-1 passwords
via pam? And yes, I know SHA-1 is pretty much cryptographically
broken, but I would still like to find support for it.
Move the user data to LDAP:
Operations (RFC 3062). The <hash> must be one of {SSHA},
{SHA},
{SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. The default is
{SSHA}.
{SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1),
the
latter with a seed.
{MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the
latter
with a seed.
{CRYPT} uses the crypt(3).
{CLEARTEXT} indicates that the new password should be
added to
userPassword as clear text.
--
Rick Nelson
C'mon! political protest! sheesh. Where's that anarchist spirit? ;-)
-- Decklin Foster
|
