Bug 518520
| Summary: | pre hashed salted passwords do not work | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Retired] 389 | Reporter: | Rich Megginson <rmeggins> | ||||
| Component: | Security - Password Policy | Assignee: | Rich Megginson <rmeggins> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Viktor Ashirov <vashirov> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 1.2.1 | CC: | amsharma, nkinder | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2015-12-07 16:35:24 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 518519, 639035 | ||||||
| Attachments: |
|
||||||
Created attachment 358138 [details]
patch
commit 64e5a9f5cac3baf15b9fa6585072491ac75c0c3e Author: Rich Megginson <rmeggins> Date: Thu Aug 20 11:28:14 2009 -0600 Hi Rich, Request you to please add some verification steps ( I read the comment 0) but if you can add more details will be helpful. Thanks Amita (In reply to comment #3) > Hi Rich, > > Request you to please add some verification steps ( I read the comment 0) but > if you can add more details will be helpful. > > Thanks > Amita 1) Generate a password using the steps in comment 0. 2) use ldapmodify to set the password, as directory manager: ldapmodify -x -D "cn=directory manager" -w dmpassword <<EOF dn: uid=scarter,ou=people,dc=example,dc=com changetype: modify replace: userPassword userPassword: {SSHA}......thevalue..... EOF 3) Attempt to bind as scarter using the password value: ldapsearch -x -D "uid=scarter,ou=people,dc=example,dc=com" -w thepassword -s base -b "" 1. Password Generated :
[root@testvm scripts]# ./prehashed_pwd.py
{SSHA}Kqifci3/3RY2XvAmioj0GVY+Thl0aGVzYWx0
2. [root@testvm scripts]# ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -w xxx << EOF
> dn: uid=Suman,ou=people,dc=test,dc=com
> changetype: modify
> replace: userPassword
> userPassword: {SSHA}Kqifci3/3RY2XvAmioj0GVY+Thl0aGVzYWx0
> EOF
modifying entry "uid=Suman,ou=people,dc=test,dc=com"
3. ldapsearch -h localhost -p 389 -D "uid=Suman,ou=people,dc=test,dc=com" -w thepassword -s base -b ""
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
#
dn:
objectClass: top
namingContexts: dc=example,dc=com
namingContexts: dc=id,dc=polytechnique,dc=edu
namingContexts: dc=test,dc=com
namingContexts: o=netscaperoot
VERIFIED Successfully, thanks to Rich.
|
An attempt to perform simple authentication with a user name and password fails if the password was added to the server pre-hashed and salted (e.g. SSHA). For example, the following python code: import hashlib import base64 ... sha = hashlib.sha1('thepassword') sha.update('thesalt') pwdval = '{SSHA}' + base64.b64encode(sha.digest() + 'thesalt')