« Directory Service upgrade status | Main | cgi.umbc.edu »

ldap/kdc password sync, hashes

Tidbit One

The new version of the Sun One Directory Server defaults to using the {SSHA} password hash format, as opposed to the old {SHA} hash. Any code that directly verifies password hashes needs to be modified appropriately. Some code to do it is included in the extended article if you need it.

Tidbit Two

With that, the KDC/LDAP password sync has been re-enabled. Had disabled it for the DS upgrade just incase we seriously horked something :)

Useful Perl

sub verify_userpassword {
  my $hash = shift @_;
  my $pass = shift @_;

if ( $hash =~ s/^\{SHA\}// ) {
return check_sha( $hash, $pass );
} elsif ( $hash =~ s/^\{SSHA\}// ) {
return check_ssha( $hash, $pass );
}

return 0;
}

sub check_sha {
my $hash = shift @_;
my $pass = shift @_;

my $encpass = sha1($pass);

my $hash = decode_base64($hash);

if ( $hash eq $encpass ) {
return 1;
}

return 0;

}

sub check_ssha {
my $hash = shift @_;
my $pass = shift @_;

my $hash = decode_base64($hash);
my $salt;

# pull the last 8 characters off the password, that's the salt, I think.
if ( $hash =~ s/(........)$// ) {
$salt = $1;
} else {
print "ssha1: password format bad\n";
}

# ok, try to generate the hash with that salt
my $ctx = Digest::SHA1->new;
$ctx->add($pass);
$ctx->add($salt);

if ( $ctx->digest() eq $hash ) {
return 1;
}

return 0;
}

Post a comment

About

This page contains a single entry from the blog posted on August 23, 2005 2:54 PM.

The previous post in this blog was Directory Service upgrade status.

The next post in this blog is cgi.umbc.edu.

Many more can be found on the main index page or by looking through the archives.

Powered by
Movable Type 3.34