FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 09-22-2010, 06:33 PM
Nathan Kinder
 
Default SSHA and friends

On 09/22/2010 10:45 AM, Gerrard Geldenhuis wrote:






Hi

This is probably OT but I am not having much
luck with google.
How can I create SSHA512 strings? I have been using either a php script
or slappasswd
to create SSHA password but not sure how to do SSHA512. openssl can
create the
SHA512 digest but I am not sure how to add the random seed bit. My
question probably
illuminate my lack of understanding of the subject.



Why are you pre-hashing passwords?* You can set the password storage
scheme to SSHA512 in 389 and provide a cleartext userPassword value to
the server and it will hash it for you.





*

Best Regards




__________________________________________________ ______________________

In order to protect our email recipients, Betfair Group use SkyScan
from

MessageLabs to scan all Incoming and Outgoing mail for viruses.



__________________________________________________ ______________________



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 09-22-2010, 06:55 PM
Ulf Weltman
 
Default SSHA and friends

On 9/22/2010 11:33 AM, Nathan Kinder wrote:


On 09/22/2010 10:45 AM, Gerrard Geldenhuis wrote:






Hi

This is probably OT but I am not having
much
luck with google.
How can I create SSHA512 strings? I have been using either a
php script
or slappasswd
to create SSHA password but not sure how to do SSHA512.
openssl can
create the
SHA512 digest but I am not sure how to add the random seed
bit. My
question probably
illuminate my lack of understanding of the subject.



Why are you pre-hashing passwords?* You can set the password
storage
scheme to SSHA512 in 389 and provide a cleartext userPassword
value to
the server and it will hash it for you.


If generating LDIF with pre-hashed passwords or resetting a lost
nsslapd-rootpw or something like that, you can use the pwdhash
utility that comes with 389 DS:



# pwdhash -s SSHA512 secret12

{SSHA512}KssX4qTpaFxJveSJp8Dw5AXTgNmM3wYrmBLspsj6F +Pf2aN6WO0l8XUQy+z2zx8qknO+ToFFjkVae8f4oYX0Xlt1elA 2UHKq










*

Best Regards




__________________________________________________ ______________________

In order to protect our email recipients, Betfair Group use
SkyScan
from

MessageLabs to scan all Incoming and Outgoing mail for viruses.



__________________________________________________ ______________________


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users






--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 09-22-2010, 06:56 PM
Brandon G
 
Default SSHA and friends

Nathan Kinder wrote:


On 09/22/2010 10:45 AM, Gerrard Geldenhuis wrote:





Hi

This is probably OT but I am not having much
luck with google.
How can I create SSHA512 strings? I have been using either a php script
or slappasswd
to create SSHA password but not sure how to do SSHA512. openssl can
create the
SHA512 digest but I am not sure how to add the random seed bit. My
question probably
illuminate my lack of understanding of the subject.



Why are you pre-hashing passwords?* You can set the password storage
scheme to SSHA512 in 389 and provide a cleartext userPassword value to
the server and it will hash it for you.






Actually, as a side note I would like to know how the format of {SSHA}
and friends compare to the conventional unix $1$seed$hash for MD5,
$2$seed$hash etc and so forth.* Notably, is it possible to convert a
$1$xxxx into a {MD5...} or similar hash.* Where is the Seed in SSHA?*
Is it a fixed length?



-Brandon



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 09-22-2010, 07:20 PM
Rich Megginson
 
Default SSHA and friends

Gerrard Geldenhuis wrote:
>
> Hi
>
> This is probably OT but I am not having much luck with google. How can
> I create SSHA512 strings? I have been using either a php script or
> slappasswd to create SSHA password but not sure how to do SSHA512.
> openssl can create the SHA512 digest but I am not sure how to add the
> random seed bit. My question probably illuminate my lack of
> understanding of the subject.
>
Why do you want to create SSHA512 strings? If for the userPassword
values, you should only send userPassword in clear text to the directory
server and let the directory server hash the password.
>
>
>
> Best Regards
>
>
> __________________________________________________ ______________________
> In order to protect our email recipients, Betfair Group use SkyScan from
> MessageLabs to scan all Incoming and Outgoing mail for viruses.
>
> __________________________________________________ ______________________
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 09-22-2010, 07:22 PM
Rich Megginson
 
Default SSHA and friends

Brandon G wrote:
> Nathan Kinder wrote:
>> On 09/22/2010 10:45 AM, Gerrard Geldenhuis wrote:
>>>
>>> Hi
>>>
>>> This is probably OT but I am not having much luck with google. How
>>> can I create SSHA512 strings? I have been using either a php script
>>> or slappasswd to create SSHA password but not sure how to do
>>> SSHA512. openssl can create the SHA512 digest but I am not sure how
>>> to add the random seed bit. My question probably illuminate my lack
>>> of understanding of the subject.
>>>
>> Why are you pre-hashing passwords? You can set the password storage
>> scheme to SSHA512 in 389 and provide a cleartext userPassword value
>> to the server and it will hash it for you.
>
>
> Actually, as a side note I would like to know how the format of {SSHA}
> and friends compare to the conventional unix $1$seed$hash for MD5,
> $2$seed$hash etc and so forth. Notably, is it possible to convert a
> $1$xxxx into a {MD5...} or similar hash.
389 does support MD5 and Salted (SMD5) hashes, specifically for
migration purposes. What format does $1$xxxx use?
> Where is the Seed in SSHA?
At the end.
> Is it a fixed length?
Yes, 8 bytes.

But note that you cannot convert MD5 to (S)SHA.
>
> -Brandon
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 09-22-2010, 07:26 PM
Brandon G
 
Default SSHA and friends

Rich Megginson wrote:
> 389 does support MD5 and Salted (SMD5) hashes, specifically for
> migration purposes. What format does $1$xxxx use?
>

It has been used in unix for some time now. $1$SEED$HASH is MD5;
depending upon what OS you use the number differs in the hash. Years
ago I rewrote crypt for FreeBSD to use $3$ for SHA1. I know Redhat is
now using $6$ for a form of SHA, I don't know which one.

>> Where is the Seed in SSHA?
>>
> At the end.
>
>> Is it a fixed length?
>>
> Yes, 8 bytes.
>
> But note that you cannot convert MD5 to (S)SHA.


Where is the standard that defines what the hash format is for the
various {types} ?

This is basically to make migration easier, if I could reformat a
"$1$seed$hash" into "{SMD5}hashseed"? and stuff it into userPassword,
the users have no disruption.

-Brandon
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 09-22-2010, 07:30 PM
Rich Megginson
 
Default SSHA and friends

Brandon G wrote:
> Rich Megginson wrote:
>
>> 389 does support MD5 and Salted (SMD5) hashes, specifically for
>> migration purposes. What format does $1$xxxx use?
>>
>>
>
> It has been used in unix for some time now. $1$SEED$HASH is MD5;
> depending upon what OS you use the number differs in the hash. Years
> ago I rewrote crypt for FreeBSD to use $3$ for SHA1. I know Redhat is
> now using $6$ for a form of SHA, I don't know which one.
>
>
>>> Where is the Seed in SSHA?
>>>
>>>
>> At the end.
>>
>>
>>> Is it a fixed length?
>>>
>>>
>> Yes, 8 bytes.
>>
>> But note that you cannot convert MD5 to (S)SHA.
>>
>
>
> Where is the standard that defines what the hash format is for the
> various {types} ?
>
> This is basically to make migration easier, if I could reformat a
> "$1$seed$hash" into "{SMD5}hashseed"? and stuff it into userPassword,
> the users have no disruption.
>
{SMD5}hashseed might just work.
> -Brandon
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 09-23-2010, 07:47 AM
Rudolf Hatheyer
 
Default SSHA and friends

Hi Gerrad,

I use php in my self written usermanagement webapp.

Here a code snippet (part of a utility class) which works for me:

protected function generateSSHAHash($plaintext) {
mt_srand((double)microtime()*1000000);

$salt = $this->myhash_keygen_s2k(
$plaintext,
substr(pack('h*', md5(mt_rand())),
0, 8),
4 );
$hash = "{SSHA}".base64_encode(hash('sha1', $plaintext.$salt,
TRUE).$salt);

return $hash;
}

protected function myhash_keygen_s2k($pass, $salt, $bytes ){
return substr(pack("h*", sha1($salt . $pass)), 0, $bytes);
}

Cheers, Rudolf

Gerrard Geldenhuis wrote:
>
> Hi
>
> This is probably OT but I am not having much luck with google. How can
> I create SSHA512 strings? I have been using either a php script or
> slappasswd to create SSHA password but not sure how to do SSHA512.
> openssl can create the SHA512 digest but I am not sure how to add the
> random seed bit. My question probably illuminate my lack of
> understanding of the subject.
>
>
>
> Best Regards
>
>
> __________________________________________________ ______________________
> In order to protect our email recipients, Betfair Group use SkyScan from
> MessageLabs to scan all Incoming and Outgoing mail for viruses.
>
> __________________________________________________ ______________________
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users


--
Rudolf Hatheyer
alpha nova Betriebsgesm.b.H.

Idlhofgasse 59-63
8020 Graz
Tel: 0043/316/722622
Fax: 0043/316/722622-16
Mobil: 0699/14032570

http://www.alphanova.at

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 03:32 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org