Re: Generate hashed rootpw for native ldapd
On Fri, Feb 21, 2014 at 10:45:29AM -0600, Matthew Weigel wrote:
> On 2014-02-21 9:24, Matthew Weigel wrote:
> >On 2014-02-21 5:09, Joel Carnat wrote:
> >
> >Here is a short
> >script that should run fine on a stock OpenBSD machine to generate a
> >bcrypt hash suitable for the userPassword attribute of ldapd.
>
> Nope nope nope. That script is incorrect in a couple of ways. Most
> significantly it leaks the first two bits of the user's password, because I
> didn't understand how to pass the salt correctly. I don't know if anyone
> actually WANTS a corrected version of the script, but I can't leave the
> uncorrected one out there.
>
> #! /usr/bin/perl
> use strict;
>
> while(<>) {
> my $salt = '';
> my $new_pw = $_;
> chomp($new_pw);
>
> my @chars = split //,
> "./ABCDEFGHIJKLMN" .
> "OPQRSTUVWXYZabcd" .
> "efghijklmnopqrst" .
> "uvwxyz0123456789";
>
> for (my $i = 0; $i < 21; $i++) {
> $salt .= $chars[int(rand($#chars+1))];
> }
>
> $salt .= $chars[int(rand(4))*16];
>
> my $rnd_salt = '$2a$08$' . $salt;
>
> my $hash = crypt($new_pw, $rnd_salt);
> print("$hash\n");
> }
>
Honestly why are you not using encrypt(1)
echo -n '{CRYPT}'; encrypt password
{CRYPT}$2a$06$A2vVAo7wVbIiGNjcbBkfNeRXO6TtCe/MA0TVhdu6qUpsy0bMI5St2
Much easier.
--
:wq Claudio
Re: Generate hashed rootpw for native ldapd
> > I guess you can use 'openssl passwd' for that,
> > or 'openssl passwd -1' for MD5 password
> > however that is tagged if allowed in LDAP...
>
> It doesn't look like openssl passwd knows about bcrypt at all (either
> internally, or via crypt()). While I think ldapd would be fine with
> either the old DES-based crypt() hash or the MD5-based hash - you would
> just need to prefix it with "{CRYPT}" I think - neither of those is
> really a good idea for hashing passwords anymore.
Of course openssl doens't know about bcrypt, like much other software.
Some serious NIH syndrome exists out there, though it is sometimes
known by the other acronym IBO.
Re: Generate hashed rootpw for native ldapd
On 2014-02-21 10:07, Raimo Niskanen wrote:
I guess you can use 'openssl passwd' for that,
or 'openssl passwd -1' for MD5 password
however that is tagged if allowed in LDAP...
It doesn't look like openssl passwd knows about bcrypt at all (either
internally, or via crypt()). While I think ldapd would be fine with
either the old DES-based crypt() hash or the MD5-based hash - you would
just need to prefix it with "{CRYPT}" I think - neither of those is
really a good idea for hashing passwords anymore.
--
Matthew Weigel
hacker
unique & idempot . ent
Re: Generate hashed rootpw for native ldapd
On Fri, Feb 21, 2014 at 09:24:10AM -0600, Matthew Weigel wrote:
> On 2014-02-21 5:09, Joel Carnat wrote:
>
> >What is the (native) way to generate the "SSHA" hashed format for
> >rootpw ?
>
> Is there a particular reason you want to use SSHA? Here is a short
> script that should run fine on a stock OpenBSD machine to generate a
> bcrypt hash suitable for the userPassword attribute of ldapd.
>
> #! /usr/bin/perl
> use strict;
>
> while(<>) {
> my $salt = '';
> my $new_pw = $_;
> chomp($new_pw);
>
> my @chars = split //,
> "abcdefghijklmnopqrstuvwxyz" .
> "ABCDEFGHIJKLMNOPQRSTUVWXYZ" .
> "0123456789+/";
>
> for (my $i = 0; $i < 21; $i++) {
> $salt .= $chars[int(rand($#chars+1))];
> }
>
> my $rnd_salt = '$2a$06$' . $salt . $new_pw;
>
> my $hash = crypt($new_pw, $rnd_salt);
> print("{CRYPT}$hash\n");
> }
I guess you can use 'openssl passwd' for that,
or 'openssl passwd -1' for MD5 password
however that is tagged if allowed in LDAP...
>
> --
> Matthew Weigel
> hacker
> unique & idempot . ent
--
/ Raimo Niskanen, Erlang/OTP, Ericsson AB
Re: Generate hashed rootpw for native ldapd
On 2014-02-21 9:24, Matthew Weigel wrote:
On 2014-02-21 5:09, Joel Carnat wrote:
Here is a short
script that should run fine on a stock OpenBSD machine to generate a
bcrypt hash suitable for the userPassword attribute of ldapd.
Nope nope nope. That script is incorrect in a couple of ways. Most
significantly it leaks the first two bits of the user's password,
because I didn't understand how to pass the salt correctly. I don't
know if anyone actually WANTS a corrected version of the script, but I
can't leave the uncorrected one out there.
#! /usr/bin/perl
use strict;
while(<>) {
my $salt = '';
my $new_pw = $_;
chomp($new_pw);
my @chars = split //,
"./ABCDEFGHIJKLMN" .
"OPQRSTUVWXYZabcd" .
"efghijklmnopqrst" .
"uvwxyz0123456789";
for (my $i = 0; $i < 21; $i++) {
$salt .= $chars[int(rand($#chars+1))];
}
$salt .= $chars[int(rand(4))*16];
my $rnd_salt = '$2a$08$' . $salt;
my $hash = crypt($new_pw, $rnd_salt);
print("$hash\n");
}
--
Matthew Weigel
hacker
unique & idempot . ent
Re: Generate hashed rootpw for native ldapd
On 2014-02-21 5:09, Joel Carnat wrote:
What is the (native) way to generate the "SSHA" hashed format for
rootpw ?
Is there a particular reason you want to use SSHA? Here is a short
script that should run fine on a stock OpenBSD machine to generate a
bcrypt hash suitable for the userPassword attribute of ldapd.
#! /usr/bin/perl
use strict;
while(<>) {
my $salt = '';
my $new_pw = $_;
chomp($new_pw);
my @chars = split //,
"abcdefghijklmnopqrstuvwxyz" .
"ABCDEFGHIJKLMNOPQRSTUVWXYZ" .
"0123456789+/";
for (my $i = 0; $i < 21; $i++) {
$salt .= $chars[int(rand($#chars+1))];
}
my $rnd_salt = '$2a$06$' . $salt . $new_pw;
my $hash = crypt($new_pw, $rnd_salt);
print("{CRYPT}$hash\n");
}
--
Matthew Weigel
hacker
unique & idempot . ent
Re: Generate hashed rootpw for native ldapd
On Fri, Feb 21, 2014 at 01:31:13PM +0100, Joel Carnat wrote:
> Hum, I tried it but it doesn't work.
>
> I have a slappasswd else where to test. And here's what I get :
> # print passphrase | openssl dgst -sha1 -binary | openssl enc -base64 | awk
> '{print "{SHA}"$0}'
> {SHA}ZLvhLmLU88dUQwzfUgsq6IV8ZRE=
> # echo passphrase | openssl dgst -sha1 -binary | openssl enc -base64 | awk
> '{print "{SHA}"$0}'
> {SHA}ZLvhLmLU88dUQwzfUgsq6IV8ZRE=
> # slappasswd -h {SHA} -s passphrase
> {SHA}YhAnRDQFLyD8uD4dD0kiBPyxGIQ=
"echo passphrase" include a return at end of line: you should avoid it.
$ echo -n passphrase | openssl dgst -sha1 -binary | openssl enc -base64 | awk
'{print "{SHA}"$0}'
{SHA}YhAnRDQFLyD8uD4dD0kiBPyxGIQ=
Bye.
--
Sébastien Marie
Re: Generate hashed rootpw for native ldapd
On Fri, Feb 21, 2014 at 01:31:13PM +0100, Joel Carnat wrote:
> Hum, I tried it but it doesn't work.
>
> I have a slappasswd else where to test. And here's what I get :
> # print passphrase | openssl dgst -sha1 -binary | openssl enc -base64 | awk
> '{print "{SHA}"$0}'
> {SHA}ZLvhLmLU88dUQwzfUgsq6IV8ZRE=
> # echo passphrase | openssl dgst -sha1 -binary | openssl enc -base64 | awk
> '{print "{SHA}"$0}'
> {SHA}ZLvhLmLU88dUQwzfUgsq6IV8ZRE=
> # slappasswd -h {SHA} -s passphrase
> {SHA}YhAnRDQFLyD8uD4dD0kiBPyxGIQ=
>
> Using the string generated with "slappasswd" works.
> Other two don't :(
>
Do not use echo since that will ad a newline to the password.
This works for me and is simpler:
echo -n '{SHA}'; printf passphrase | sha1 -b
{SHA}YhAnRDQFLyD8uD4dD0kiBPyxGIQ=
The salted version is a bit more complex since you need to include the
base64 of the salt after the SHA1 output and include the salt after the
password when doing the SHA1.
--
:wq Claudio
Re: Generate hashed rootpw for native ldapd
Yep, that works!
Thanks :)
Le 21 févr. 2014 à 13:41, Abel Abraham Camarillo Ojeda a
écrit :
> try not including newline:
>
> $ echo -n passphrase | openssl dgst -sha1 -binary | openssl enc
> -base64 | awk '{print "{SHA}"$0}'
> {SHA}YhAnRDQFLyD8uD4dD0kiBPyxGIQ=
> $
>
>
> On Fri, Feb 21, 2014 at 6:31 AM, Joel Carnat wrote:
>> Hum, I tried it but it doesn't work.
>>
>> I have a slappasswd else where to test. And here's what I get :
>> # print passphrase | openssl dgst -sha1 -binary | openssl enc -base64 | awk
>> '{print "{SHA}"$0}'
>> {SHA}ZLvhLmLU88dUQwzfUgsq6IV8ZRE=
>> # echo passphrase | openssl dgst -sha1 -binary | openssl enc -base64 | awk
>> '{print "{SHA}"$0}'
>> {SHA}ZLvhLmLU88dUQwzfUgsq6IV8ZRE=
>> # slappasswd -h {SHA} -s passphrase
>> {SHA}YhAnRDQFLyD8uD4dD0kiBPyxGIQ=
>>
>> Using the string generated with "slappasswd" works.
>> Other two don't :(
>>
>> Le 21 févr. 2014 à 13:18, Marcus MERIGHI a écrit :
>>
>>> j...@carnat.net (Joel Carnat), 2014.02.21 (Fri) 12:09 (CET):
I want to generate a hashed rootpw for native ldapd (on OBSD 5.4).
I've tried various things like `echo secret | sha256` but I can't
authenticate.
If possible, I'd like not to install openldap-server just to get
slappasswd.
What is the (native) way to generate the "SSHA" hashed format for rootpw ?
>>>
>>> ``What are {SHA} and {SSHA} passwords and how do I generate them?''
>>> http://www.openldap.org/faq/data/cache/347.html
>>>
>>> Easiest way there seems to be:
>>>
>>> print "passphrase" | openssl dgst -sha1 -binary | \
>>> openssl enc -base64 | awk '{print "{SHA}"$0}'
>>>
>>> No way to test here...
>>>
>>> Bye, Marcus
Re: Generate hashed rootpw for native ldapd
try not including newline:
$ echo -n passphrase | openssl dgst -sha1 -binary | openssl enc
-base64 | awk '{print "{SHA}"$0}'
{SHA}YhAnRDQFLyD8uD4dD0kiBPyxGIQ=
$
On Fri, Feb 21, 2014 at 6:31 AM, Joel Carnat wrote:
> Hum, I tried it but it doesn't work.
>
> I have a slappasswd else where to test. And here's what I get :
> # print passphrase | openssl dgst -sha1 -binary | openssl enc -base64 | awk
> '{print "{SHA}"$0}'
> {SHA}ZLvhLmLU88dUQwzfUgsq6IV8ZRE=
> # echo passphrase | openssl dgst -sha1 -binary | openssl enc -base64 | awk
> '{print "{SHA}"$0}'
> {SHA}ZLvhLmLU88dUQwzfUgsq6IV8ZRE=
> # slappasswd -h {SHA} -s passphrase
> {SHA}YhAnRDQFLyD8uD4dD0kiBPyxGIQ=
>
> Using the string generated with "slappasswd" works.
> Other two don't :(
>
> Le 21 févr. 2014 à 13:18, Marcus MERIGHI a écrit :
>
>> j...@carnat.net (Joel Carnat), 2014.02.21 (Fri) 12:09 (CET):
>>> I want to generate a hashed rootpw for native ldapd (on OBSD 5.4).
>>> I've tried various things like `echo secret | sha256` but I can't
>>> authenticate.
>>>
>>> If possible, I'd like not to install openldap-server just to get slappasswd.
>>>
>>> What is the (native) way to generate the "SSHA" hashed format for rootpw ?
>>
>> ``What are {SHA} and {SSHA} passwords and how do I generate them?''
>> http://www.openldap.org/faq/data/cache/347.html
>>
>> Easiest way there seems to be:
>>
>> print "passphrase" | openssl dgst -sha1 -binary | \
>> openssl enc -base64 | awk '{print "{SHA}"$0}'
>>
>> No way to test here...
>>
>> Bye, Marcus
Re: Generate hashed rootpw for native ldapd
Hum, I tried it but it doesn't work.
I have a slappasswd else where to test. And here's what I get :
# print passphrase | openssl dgst -sha1 -binary | openssl enc -base64 | awk
'{print "{SHA}"$0}'
{SHA}ZLvhLmLU88dUQwzfUgsq6IV8ZRE=
# echo passphrase | openssl dgst -sha1 -binary | openssl enc -base64 | awk
'{print "{SHA}"$0}'
{SHA}ZLvhLmLU88dUQwzfUgsq6IV8ZRE=
# slappasswd -h {SHA} -s passphrase
{SHA}YhAnRDQFLyD8uD4dD0kiBPyxGIQ=
Using the string generated with "slappasswd" works.
Other two don't :(
Le 21 févr. 2014 à 13:18, Marcus MERIGHI a écrit :
> j...@carnat.net (Joel Carnat), 2014.02.21 (Fri) 12:09 (CET):
>> I want to generate a hashed rootpw for native ldapd (on OBSD 5.4).
>> I've tried various things like `echo secret | sha256` but I can't
>> authenticate.
>>
>> If possible, I'd like not to install openldap-server just to get slappasswd.
>>
>> What is the (native) way to generate the "SSHA" hashed format for rootpw ?
>
> ``What are {SHA} and {SSHA} passwords and how do I generate them?''
> http://www.openldap.org/faq/data/cache/347.html
>
> Easiest way there seems to be:
>
> print "passphrase" | openssl dgst -sha1 -binary | \
> openssl enc -base64 | awk '{print "{SHA}"$0}'
>
> No way to test here...
>
> Bye, Marcus
Re: Generate hashed rootpw for native ldapd
j...@carnat.net (Joel Carnat), 2014.02.21 (Fri) 12:09 (CET):
> I want to generate a hashed rootpw for native ldapd (on OBSD 5.4).
> I've tried various things like `echo secret | sha256` but I can't
> authenticate.
>
> If possible, I'd like not to install openldap-server just to get slappasswd.
>
> What is the (native) way to generate the "SSHA" hashed format for rootpw ?
``What are {SHA} and {SSHA} passwords and how do I generate them?''
http://www.openldap.org/faq/data/cache/347.html
Easiest way there seems to be:
print "passphrase" | openssl dgst -sha1 -binary | \
openssl enc -base64 | awk '{print "{SHA}"$0}'
No way to test here...
Bye, Marcus
Generate hashed rootpw for native ldapd
Hi, I want to generate a hashed rootpw for native ldapd (on OBSD 5.4). I've tried various things like `echo secret | sha256` but I can't authenticate. If possible, I'd like not to install openldap-server just to get slappasswd. What is the (native) way to generate the "SSHA" hashed format for rootpw ? TIA, Jo
