Hi,Just to follow up on the previous email, I checked the courier source code, and it indeed seems to be the case that Courier authldap can only handle 4 byte SSHA salts instead of arbitrary length salts:
in sha1/sha1.h
typedef unsigned char SSHA_RAND[4];
in checkpasswordsha1.c (I added the comment)
if (strncasecmp(encrypted_password, "{SSHA}", 6) == 0)
{
char *code = NULL;
int i;
SSHA_RAND rand;
code = strdup(encrypted_password+6);
if(code == NULL)
{
return (-1);
}
i = authsasl_frombase64(code);
if(i == -1 || i < sizeof(SSHA_RAND))
{
free(code);
return (-1);
}
// exactly 4 bytes of salt taken, whether there are more or less in
reality
memcpy((char *)rand, code+i-sizeof(SSHA_RAND),
sizeof(SSHA_RAND));
i=strcmp(encrypted_password+6, ssha_hash(password, rand));
free(code);
return i;
}
I couldn't find any official spec of SSHA on the size of the salt.
However SquirrelMail generates 8 byte salts, and openldap (slapd) itself
accepts them.
Regards, Sebastiaan Sebastiaan van Erk wrote:
Sam Varshavchik wrote:Sebastiaan van Erk writes:However, the strange thing is that it DOES work when I set the LDAP password using ldappasswd (also using LDAP_AUTHBIND 0). When I do "authtest sebster" right after setting the password this way it shows me an {SSHA} password hash:# ldappasswd -W -D 'cn=admin,dc=dot' -s aaa 'uid=sebster,ou=users,dc=sebster,dc=com,dc=dot'After which # authtest sebster Authentication succeeded. Authenticated: sebster (uid 2000, gid 2000) Home Directory: /data/mail/popboxes/sebster-com/sebster Maildir: (none) Quota: (none) Encrypted Password: {SSHA}VozfaTyQG4Gm73fMAdpqyJ0Xz21Bp80B Cleartext Password: (none) Options: wbnodsn=1Courier authenticates fine against this hash (using LDAP_AUTHBIND 0). However as soon as I set the hash through squirrel mail (change password), it breaks.Squirrelmail's SSHA password calculation appears to be broken.Courier's SSHA, as you've observed, works when you use OpenLDAP's own ldappasswd to set the password. End of story. If you get different results when using Squirrelmail, and when you use OpenLDAP's function, then one of them has to be right, and the other is broken.Yes, but when I set LDAP_AUTHBIND 1 then squirrelmail's password hash works fine. That is, slapd itself has no problem with squirrel mail's hash. In previous mails I posted squirrel mail's hash so that you can verify it yourself. I verified it using my own little Java program, and I can find nothing wrong with it.What it boils down to, is that if anything is broken, it seems to be courier-authldap. It barfs on SquirrelMail's hashes while neither slapd nor my own (attached) java verification program do.Regards, Sebastiaan P.S: here a log of everything that shows the problem: 1) turn LDAP_AUTHBIND off in authldap, and restart authdaemon # vi /usr/local/etc/authlib/authldaprc # /usr/local/etc/rc.d/courier-authdaemond restart Stopping courier_authdaemond. Starting courier_authdaemond.2) set the password hash for secret aaa using ldappasswd, and verify the hash# ldappasswd -W -D 'cn=admin,dc=dot' -s aaa 'uid=sebster,ou=users,dc=sebster,dc=com,dc=dot'Enter LDAP Password: # ldapsearch -W -D 'uid=sebster,ou=users,dc=sebster,dc=com,dc=dot' Enter LDAP Password: # extended LDIF <snip> # authtest sebster Authentication succeeded. Authenticated: sebster (uid 2000, gid 2000) Home Directory: /data/mail/popboxes/sebster-com/sebster Maildir: (none) Quota: (none) Encrypted Password: {SSHA}KmNq1UZiKuQkaGSB/iAENtKcsv3zqEd+ Cleartext Password: (none) Options: wbnodsn=1 # authtest sebster aaa Authentication succeeded. Authenticated: sebster (uid 2000, gid 2000) Home Directory: /data/mail/popboxes/sebster-com/sebster Maildir: (none) Quota: (none) Encrypted Password: {SSHA}KmNq1UZiKuQkaGSB/iAENtKcsv3zqEd+ Cleartext Password: aaa Options: wbnodsn=1 $ java SSHATest KmNq1UZiKuQkaGSB/iAENtKcsv3zqEd+ encoded: KmNq1UZiKuQkaGSB/iAENtKcsv3zqEd+ password hash: 2a636ad546622ae424686481fe200436d29cb2fd salt: f3a8477e Enter password: aaa password hash: 2a636ad546622ae424686481fe200436d29cb2fd encoded: KmNq1UZiKuQkaGSB/iAENtKcsv3zqEd+ MATCH? true3) "Change" the password with squirrel mail to aaa, and do the above procedure again.# ldapsearch -W -D 'uid=sebster,ou=users,dc=sebster,dc=com,dc=dot' Enter LDAP Password: # extended LDIF <snip> # authtest sebster Authentication succeeded. Authenticated: sebster (uid 2000, gid 2000) Home Directory: /data/mail/popboxes/sebster-com/sebster Maildir: (none) Quota: (none) Encrypted Password: {SSHA}iYX6b3SUba4OJEzOKiTdyV0y8flmYjdmZTllMQ== Cleartext Password: (none) Options: wbnodsn=1 # authtest sebster aaa Authentication FAILED: Operation not permitted $ java SSHATest iYX6b3SUba4OJEzOKiTdyV0y8flmYjdmZTllMQ== encoded: iYX6b3SUba4OJEzOKiTdyV0y8flmYjdmZTllMQ== password hash: 8985fa6f74946dae0e244cce2a24ddc95d32f1f9 salt: 6662376665396531 Enter password: aaa password hash: 8985fa6f74946dae0e244cce2a24ddc95d32f1f9 encoded: iYX6b3SUba4OJEzOKiTdyV0y8flmYjdmZTllMQ== MATCH? true My java program is attached.The only thing that I can see that is different between the hash generated by ldappasswd and the hash generated by squirrelmail is the length of the salt. The squirrel mail salt seems to be 8 bytes long, the ldappasswd salt is 4 bytes long.Regards, Sebastiaan ------------------------------------------------------------------------ ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword ------------------------------------------------------------------------ _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
