Skip to content
This repository was archived by the owner on Oct 20, 2024. It is now read-only.

[Feature request] Support CRYPT password hashing scheme with ldap user module #114

Closed
nlgranger opened this issue Apr 12, 2020 · 6 comments
Closed

[Feature request] Support CRYPT password hashing scheme with ldap user module #114

nlgranger opened this issue Apr 12, 2020 · 6 comments
Labels
help wanted improvement need info

Comments

@nlgranger
Copy link

Is your feature request related to a problem? Please describe.
Built-in LDAP password hashing scheme are weak by nowadays standards.

Describe the solution you'd like
Add support for CRYPT hashing scheme, it requires adding an extra form entry for the salt format.

Describe alternatives you've considered
Read-only access limits works around password manipulation all-together but limits available functionalities.

Additional context
https://www.redpill-linpro.com/techblog/2016/08/16/ldap-password-hash.html
@babelouest
Copy link
Owner

Hello @nlgranger , thanks for the feature request.

I didn't implement CRYPT password hashing in LDAP because I never really understood how it was implemented.
The supported hash like {SHA} or {SSHA} were implemented using a long and exhausting reverse-engineering process since I couldn't find any suitable documentation at the time.

If I understand the documentation you're pointing, and the way Apache Directory shows me the CRYPT hashing result:

  • CRYPT is the implementation of the glibc crypt: http://man7.org/linux/man-pages/man3/crypt.3.html
  • CRYPT with scheme ID (MD5, SHA-256, SHA-512, etc) is like {SSHA} with a different algorithm and a rounds parameter (default 5000) to have brute-force guess more difficult.

I've made some tests and the first one can be implemented quickly, although it looks like a very weak password hashing algorithm.

@babelouest
Copy link
Owner

Am I correct in my assumptions?

@nlgranger
Copy link
Author

I'm mostly following recommendations but my knowledge of cryptography is limited. My understanding is the same as your: crypt without scheme id is deprecated and only the glibc-specific extensions with a scheme id are used in practice. I don't think you'd want to re-implement that yourself indeed, so it would have to be added as an extra dependency.

Just to make things clear: I'm just playing around with ldap at the moment, I don't need this feature strictly speaking but someone else might.

@babelouest
Copy link
Owner

Ok I think I found it, the paragraph "Features in glibc" in the page http://man7.org/linux/man-pages/man3/crypt.3.html explains how to use ids.

In my case, and according to https://en.wikipedia.org/wiki/Crypt_(C)#Support_in_operating_systems , only the schemes DES, MD5, SHA-256 and SHA-512 are supported.

I'll add the feature shortly if I can.

@nlgranger
Copy link
Author

FYI, here is an implementation in a single C file: https://github.com/rfc1036/whois/blob/next/mkpasswd.c
And an example of its usage: https://www.redpill-linpro.com/techblog/2016/08/16/ldap-password-hash.html

@babelouest
Copy link
Owner

@nlgranger , I've pushed in the master branch the CRYPT hash for passwords in the LDAP modules.

Can you test this new feature and send feedbacks if required?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
help wanted improvement need info
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nlgranger @babelouest