Bug 518520 - pre hashed salted passwords do not work
pre hashed salted passwords do not work
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Community
Component: Security - Password Policy (Show other bugs)
1.2.1
All Linux
high Severity high
: ---
: ---
Assigned To: Rich Megginson
Viktor Ashirov
:
Depends On:
Blocks: 389_1.2.2 639035
  Show dependency treegraph
 
Reported: 2009-08-20 13:32 EDT by Rich Megginson
Modified: 2015-12-07 11:35 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-07 11:35:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch (3.70 KB, patch)
2009-08-20 13:34 EDT, Rich Megginson
no flags Details | Diff

  None (edit)
Description Rich Megginson 2009-08-20 13:32:43 EDT
An attempt to perform simple authentication with a user name and password fails if the password was added to the server pre-hashed and salted (e.g. SSHA).  For example, the following python code:

import hashlib
import base64

...

sha = hashlib.sha1('thepassword')
sha.update('thesalt')
pwdval = '{SSHA}' + base64.b64encode(sha.digest() + 'thesalt')
Comment 1 Rich Megginson 2009-08-20 13:34:14 EDT
Created attachment 358138 [details]
patch
Comment 2 Rich Megginson 2010-10-22 13:15:08 EDT
commit 64e5a9f5cac3baf15b9fa6585072491ac75c0c3e
Author: Rich Megginson <rmeggins@redhat.com>
Date:   Thu Aug 20 11:28:14 2009 -0600
Comment 3 Amita Sharma 2011-05-19 10:47:04 EDT
Hi Rich,

Request you to please add some verification steps ( I read the comment 0) but if you can add more details will be helpful.

Thanks
Amita
Comment 4 Rich Megginson 2011-05-19 11:10:00 EDT
(In reply to comment #3)
> Hi Rich,
> 
> Request you to please add some verification steps ( I read the comment 0) but
> if you can add more details will be helpful.
> 
> Thanks
> Amita

1) Generate a password using the steps in comment 0.
2) use ldapmodify to set the password, as directory manager:

ldapmodify -x -D "cn=directory manager" -w dmpassword <<EOF
dn: uid=scarter,ou=people,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword: {SSHA}......thevalue.....

EOF

3) Attempt to bind as scarter using the password value:
ldapsearch -x -D "uid=scarter,ou=people,dc=example,dc=com" -w thepassword -s base -b ""
Comment 5 Amita Sharma 2011-05-20 05:13:04 EDT
1. Password Generated : 
[root@testvm scripts]# ./prehashed_pwd.py
{SSHA}Kqifci3/3RY2XvAmioj0GVY+Thl0aGVzYWx0

2. [root@testvm scripts]# ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -w xxx << EOF
> dn: uid=Suman,ou=people,dc=test,dc=com
> changetype: modify
> replace: userPassword
> userPassword: {SSHA}Kqifci3/3RY2XvAmioj0GVY+Thl0aGVzYWx0
> EOF
modifying entry "uid=Suman,ou=people,dc=test,dc=com"

3. ldapsearch -h localhost -p 389 -D "uid=Suman,ou=people,dc=test,dc=com" -w thepassword -s base -b ""
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
objectClass: top
namingContexts: dc=example,dc=com
namingContexts: dc=id,dc=polytechnique,dc=edu
namingContexts: dc=test,dc=com
namingContexts: o=netscaperoot

VERIFIED Successfully, thanks to Rich.

Note You need to log in before you can comment on or make changes to this bug.