Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Directory (http://www.linux-archive.org/fedora-directory/)
-   -   SSHA and friends (http://www.linux-archive.org/fedora-directory/430495-ssha-friends.html)

Nathan Kinder 09-22-2010 06:33 PM

SSHA and friends
 
On 09/22/2010 10:45 AM, Gerrard Geldenhuis wrote:






Hi

This is probably OT but I am not having much
luck with google.
How can I create SSHA512 strings? I have been using either a php script
or slappasswd
to create SSHA password but not sure how to do SSHA512. openssl can
create the
SHA512 digest but I am not sure how to add the random seed bit. My
question probably
illuminate my lack of understanding of the subject.



Why are you pre-hashing passwords?* You can set the password storage
scheme to SSHA512 in 389 and provide a cleartext userPassword value to
the server and it will hash it for you.





*

Best Regards




__________________________________________________ ______________________

In order to protect our email recipients, Betfair Group use SkyScan
from

MessageLabs to scan all Incoming and Outgoing mail for viruses.



__________________________________________________ ______________________



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Ulf Weltman 09-22-2010 06:55 PM

SSHA and friends
 
On 9/22/2010 11:33 AM, Nathan Kinder wrote:


On 09/22/2010 10:45 AM, Gerrard Geldenhuis wrote:






Hi

This is probably OT but I am not having
much
luck with google.
How can I create SSHA512 strings? I have been using either a
php script
or slappasswd
to create SSHA password but not sure how to do SSHA512.
openssl can
create the
SHA512 digest but I am not sure how to add the random seed
bit. My
question probably
illuminate my lack of understanding of the subject.



Why are you pre-hashing passwords?* You can set the password
storage
scheme to SSHA512 in 389 and provide a cleartext userPassword
value to
the server and it will hash it for you.


If generating LDIF with pre-hashed passwords or resetting a lost
nsslapd-rootpw or something like that, you can use the pwdhash
utility that comes with 389 DS:



# pwdhash -s SSHA512 secret12

{SSHA512}KssX4qTpaFxJveSJp8Dw5AXTgNmM3wYrmBLspsj6F +Pf2aN6WO0l8XUQy+z2zx8qknO+ToFFjkVae8f4oYX0Xlt1elA 2UHKq










*

Best Regards




__________________________________________________ ______________________

In order to protect our email recipients, Betfair Group use
SkyScan
from

MessageLabs to scan all Incoming and Outgoing mail for viruses.



__________________________________________________ ______________________


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users






--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Brandon G 09-22-2010 06:56 PM

SSHA and friends
 
Nathan Kinder wrote:


On 09/22/2010 10:45 AM, Gerrard Geldenhuis wrote:





Hi

This is probably OT but I am not having much
luck with google.
How can I create SSHA512 strings? I have been using either a php script
or slappasswd
to create SSHA password but not sure how to do SSHA512. openssl can
create the
SHA512 digest but I am not sure how to add the random seed bit. My
question probably
illuminate my lack of understanding of the subject.



Why are you pre-hashing passwords?* You can set the password storage
scheme to SSHA512 in 389 and provide a cleartext userPassword value to
the server and it will hash it for you.






Actually, as a side note I would like to know how the format of {SSHA}
and friends compare to the conventional unix $1$seed$hash for MD5,
$2$seed$hash etc and so forth.* Notably, is it possible to convert a
$1$xxxx into a {MD5...} or similar hash.* Where is the Seed in SSHA?*
Is it a fixed length?



-Brandon



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Rich Megginson 09-22-2010 07:20 PM

SSHA and friends
 
Gerrard Geldenhuis wrote:
>
> Hi
>
> This is probably OT but I am not having much luck with google. How can
> I create SSHA512 strings? I have been using either a php script or
> slappasswd to create SSHA password but not sure how to do SSHA512.
> openssl can create the SHA512 digest but I am not sure how to add the
> random seed bit. My question probably illuminate my lack of
> understanding of the subject.
>
Why do you want to create SSHA512 strings? If for the userPassword
values, you should only send userPassword in clear text to the directory
server and let the directory server hash the password.
>
>
>
> Best Regards
>
>
> __________________________________________________ ______________________
> In order to protect our email recipients, Betfair Group use SkyScan from
> MessageLabs to scan all Incoming and Outgoing mail for viruses.
>
> __________________________________________________ ______________________
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Rich Megginson 09-22-2010 07:22 PM

SSHA and friends
 
Brandon G wrote:
> Nathan Kinder wrote:
>> On 09/22/2010 10:45 AM, Gerrard Geldenhuis wrote:
>>>
>>> Hi
>>>
>>> This is probably OT but I am not having much luck with google. How
>>> can I create SSHA512 strings? I have been using either a php script
>>> or slappasswd to create SSHA password but not sure how to do
>>> SSHA512. openssl can create the SHA512 digest but I am not sure how
>>> to add the random seed bit. My question probably illuminate my lack
>>> of understanding of the subject.
>>>
>> Why are you pre-hashing passwords? You can set the password storage
>> scheme to SSHA512 in 389 and provide a cleartext userPassword value
>> to the server and it will hash it for you.
>
>
> Actually, as a side note I would like to know how the format of {SSHA}
> and friends compare to the conventional unix $1$seed$hash for MD5,
> $2$seed$hash etc and so forth. Notably, is it possible to convert a
> $1$xxxx into a {MD5...} or similar hash.
389 does support MD5 and Salted (SMD5) hashes, specifically for
migration purposes. What format does $1$xxxx use?
> Where is the Seed in SSHA?
At the end.
> Is it a fixed length?
Yes, 8 bytes.

But note that you cannot convert MD5 to (S)SHA.
>
> -Brandon
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Brandon G 09-22-2010 07:26 PM

SSHA and friends
 
Rich Megginson wrote:
> 389 does support MD5 and Salted (SMD5) hashes, specifically for
> migration purposes. What format does $1$xxxx use?
>

It has been used in unix for some time now. $1$SEED$HASH is MD5;
depending upon what OS you use the number differs in the hash. Years
ago I rewrote crypt for FreeBSD to use $3$ for SHA1. I know Redhat is
now using $6$ for a form of SHA, I don't know which one.

>> Where is the Seed in SSHA?
>>
> At the end.
>
>> Is it a fixed length?
>>
> Yes, 8 bytes.
>
> But note that you cannot convert MD5 to (S)SHA.


Where is the standard that defines what the hash format is for the
various {types} ?

This is basically to make migration easier, if I could reformat a
"$1$seed$hash" into "{SMD5}hashseed"? and stuff it into userPassword,
the users have no disruption.

-Brandon
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Rich Megginson 09-22-2010 07:30 PM

SSHA and friends
 
Brandon G wrote:
> Rich Megginson wrote:
>
>> 389 does support MD5 and Salted (SMD5) hashes, specifically for
>> migration purposes. What format does $1$xxxx use?
>>
>>
>
> It has been used in unix for some time now. $1$SEED$HASH is MD5;
> depending upon what OS you use the number differs in the hash. Years
> ago I rewrote crypt for FreeBSD to use $3$ for SHA1. I know Redhat is
> now using $6$ for a form of SHA, I don't know which one.
>
>
>>> Where is the Seed in SSHA?
>>>
>>>
>> At the end.
>>
>>
>>> Is it a fixed length?
>>>
>>>
>> Yes, 8 bytes.
>>
>> But note that you cannot convert MD5 to (S)SHA.
>>
>
>
> Where is the standard that defines what the hash format is for the
> various {types} ?
>
> This is basically to make migration easier, if I could reformat a
> "$1$seed$hash" into "{SMD5}hashseed"? and stuff it into userPassword,
> the users have no disruption.
>
{SMD5}hashseed might just work.
> -Brandon
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Rudolf Hatheyer 09-23-2010 07:47 AM

SSHA and friends
 
Hi Gerrad,

I use php in my self written usermanagement webapp.

Here a code snippet (part of a utility class) which works for me:

protected function generateSSHAHash($plaintext) {
mt_srand((double)microtime()*1000000);

$salt = $this->myhash_keygen_s2k(
$plaintext,
substr(pack('h*', md5(mt_rand())),
0, 8),
4 );
$hash = "{SSHA}".base64_encode(hash('sha1', $plaintext.$salt,
TRUE).$salt);

return $hash;
}

protected function myhash_keygen_s2k($pass, $salt, $bytes ){
return substr(pack("h*", sha1($salt . $pass)), 0, $bytes);
}

Cheers, Rudolf

Gerrard Geldenhuis wrote:
>
> Hi
>
> This is probably OT but I am not having much luck with google. How can
> I create SSHA512 strings? I have been using either a php script or
> slappasswd to create SSHA password but not sure how to do SSHA512.
> openssl can create the SHA512 digest but I am not sure how to add the
> random seed bit. My question probably illuminate my lack of
> understanding of the subject.
>
>
>
> Best Regards
>
>
> __________________________________________________ ______________________
> In order to protect our email recipients, Betfair Group use SkyScan from
> MessageLabs to scan all Incoming and Outgoing mail for viruses.
>
> __________________________________________________ ______________________
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users


--
Rudolf Hatheyer
alpha nova Betriebsgesm.b.H.

Idlhofgasse 59-63
8020 Graz
Tel: 0043/316/722622
Fax: 0043/316/722622-16
Mobil: 0699/14032570

http://www.alphanova.at

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


All times are GMT. The time now is 04:34 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.