Hi This is probably OT but I am not having much luck with google. How can I create SSHA512 strings? I have been using either a php script or slappasswd to create SSHA password but not sure how to do SSHA512. openssl can create the SHA512 digest but I am not sure how to add the random seed bit. My question probably illuminate my lack of understanding of the subject.
Best Regards
________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
On 09/22/2010 10:45 AM, Gerrard Geldenhuis wrote:
Hi
This is probably OT but I am not having much luck with google. How can I create SSHA512 strings? I have been using either a php script or slappasswd to create SSHA password but not sure how to do SSHA512. openssl can create the SHA512 digest but I am not sure how to add the random seed bit. My question probably illuminate my lack of understanding of the subject.
Why are you pre-hashing passwords? You can set the password storage scheme to SSHA512 in 389 and provide a cleartext userPassword value to the server and it will hash it for you.
Best Regards
In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses.
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On 9/22/2010 11:33 AM, Nathan Kinder wrote:
On 09/22/2010 10:45 AM, Gerrard Geldenhuis wrote:
Hi
This is probably OT but I am not having much luck with google. How can I create SSHA512 strings? I have been using either a php script or slappasswd to create SSHA password but not sure how to do SSHA512. openssl can create the SHA512 digest but I am not sure how to add the random seed bit. My question probably illuminate my lack of understanding of the subject.
Why are you pre-hashing passwords? You can set the password storage scheme to SSHA512 in 389 and provide a cleartext userPassword value to the server and it will hash it for you.
If generating LDIF with pre-hashed passwords or resetting a lost nsslapd-rootpw or something like that, you can use the pwdhash utility that comes with 389 DS:
# pwdhash -s SSHA512 secret12 {SSHA512}KssX4qTpaFxJveSJp8Dw5AXTgNmM3wYrmBLspsj6F+Pf2aN6WO0l8XUQy+z2zx8qknO+ToFFjkVae8f4oYX0Xlt1elA2UHKq
Best Regards
In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses.
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Nathan Kinder wrote:
On 09/22/2010 10:45 AM, Gerrard Geldenhuis wrote:
Hi
This is probably OT but I am not having much luck with google. How can I create SSHA512 strings? I have been using either a php script or slappasswd to create SSHA password but not sure how to do SSHA512. openssl can create the SHA512 digest but I am not sure how to add the random seed bit. My question probably illuminate my lack of understanding of the subject.
Why are you pre-hashing passwords? You can set the password storage scheme to SSHA512 in 389 and provide a cleartext userPassword value to the server and it will hash it for you.
Actually, as a side note I would like to know how the format of {SSHA} and friends compare to the conventional unix $1$seed$hash for MD5, $2$seed$hash etc and so forth. Notably, is it possible to convert a $1$xxxx into a {MD5...} or similar hash. Where is the Seed in SSHA? Is it a fixed length?
-Brandon
Brandon G wrote:
Nathan Kinder wrote:
On 09/22/2010 10:45 AM, Gerrard Geldenhuis wrote:
Hi
This is probably OT but I am not having much luck with google. How can I create SSHA512 strings? I have been using either a php script or slappasswd to create SSHA password but not sure how to do SSHA512. openssl can create the SHA512 digest but I am not sure how to add the random seed bit. My question probably illuminate my lack of understanding of the subject.
Why are you pre-hashing passwords? You can set the password storage scheme to SSHA512 in 389 and provide a cleartext userPassword value to the server and it will hash it for you.
Actually, as a side note I would like to know how the format of {SSHA} and friends compare to the conventional unix $1$seed$hash for MD5, $2$seed$hash etc and so forth. Notably, is it possible to convert a $1$xxxx into a {MD5...} or similar hash.
389 does support MD5 and Salted (SMD5) hashes, specifically for migration purposes. What format does $1$xxxx use?
Where is the Seed in SSHA?
At the end.
Is it a fixed length?
Yes, 8 bytes.
But note that you cannot convert MD5 to (S)SHA.
-Brandon
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Rich Megginson wrote:
389 does support MD5 and Salted (SMD5) hashes, specifically for migration purposes. What format does $1$xxxx use?
It has been used in unix for some time now. $1$SEED$HASH is MD5; depending upon what OS you use the number differs in the hash. Years ago I rewrote crypt for FreeBSD to use $3$ for SHA1. I know Redhat is now using $6$ for a form of SHA, I don't know which one.
Where is the Seed in SSHA?
At the end.
Is it a fixed length?
Yes, 8 bytes.
But note that you cannot convert MD5 to (S)SHA.
Where is the standard that defines what the hash format is for the various {types} ?
This is basically to make migration easier, if I could reformat a "$1$seed$hash" into "{SMD5}hashseed"? and stuff it into userPassword, the users have no disruption.
-Brandon
Brandon G wrote:
Rich Megginson wrote:
389 does support MD5 and Salted (SMD5) hashes, specifically for migration purposes. What format does $1$xxxx use?
It has been used in unix for some time now. $1$SEED$HASH is MD5; depending upon what OS you use the number differs in the hash. Years ago I rewrote crypt for FreeBSD to use $3$ for SHA1. I know Redhat is now using $6$ for a form of SHA, I don't know which one.
Where is the Seed in SSHA?
At the end.
Is it a fixed length?
Yes, 8 bytes.
But note that you cannot convert MD5 to (S)SHA.
Where is the standard that defines what the hash format is for the various {types} ?
This is basically to make migration easier, if I could reformat a "$1$seed$hash" into "{SMD5}hashseed"? and stuff it into userPassword, the users have no disruption.
{SMD5}hashseed might just work.
-Brandon
389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Gerrard Geldenhuis wrote:
Hi
This is probably OT but I am not having much luck with google. How can I create SSHA512 strings? I have been using either a php script or slappasswd to create SSHA password but not sure how to do SSHA512. openssl can create the SHA512 digest but I am not sure how to add the random seed bit. My question probably illuminate my lack of understanding of the subject.
Why do you want to create SSHA512 strings? If for the userPassword values, you should only send userPassword in clear text to the directory server and let the directory server hash the password.
Best Regards
In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses.
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Hi Gerrad,
I use php in my self written usermanagement webapp.
Here a code snippet (part of a utility class) which works for me:
protected function generateSSHAHash($plaintext) { mt_srand((double)microtime()*1000000);
$salt = $this->myhash_keygen_s2k( $plaintext, substr(pack('h*', md5(mt_rand())), 0, 8), 4 ); $hash = "{SSHA}".base64_encode(hash('sha1', $plaintext.$salt, TRUE).$salt);
return $hash; }
protected function myhash_keygen_s2k($pass, $salt, $bytes ){ return substr(pack("h*", sha1($salt . $pass)), 0, $bytes); }
Cheers, Rudolf
Gerrard Geldenhuis wrote:
Hi
This is probably OT but I am not having much luck with google. How can I create SSHA512 strings? I have been using either a php script or slappasswd to create SSHA password but not sure how to do SSHA512. openssl can create the SHA512 digest but I am not sure how to add the random seed bit. My question probably illuminate my lack of understanding of the subject.
Best Regards
In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses.
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
389-users@lists.fedoraproject.org
-
brandon -
Gerrard Geldenhuis -
Nathan Kinder -
Rich Megginson -
Rudolf Hatheyer -
Ulf Weltman