[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: (ITS#9137) slappasswd generate wrong SSHA from file

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#9137) slappasswd generate wrong SSHA from file
From: antoine.tran@thales-services.fr
Date: Fri, 13 Dec 2019 09:52:46 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)
Hi,

Thank you!! I was fooled when I checked the content with vi. Sorry for 
the disturbance, I hope it will help others.

Yours sincerely,

Antoine


On 13/12/2019 04:29, Howard Chu wrote:
> Antoine Tran wrote:
>> On 12/12/2019 14:02, Howard Chu wrote:
>>> antoine.tran@thales-services.fr wrote:
>>>> Full_Name: Antoine TRAN
>>>> Version: openldap-servers-2.4.44-21.el7_6.x86_64
>>>> OS: CentOS Linux release 7.7.1908 (Core)
>>>> URL: ftp://ftp.openldap.org/incoming/
>>>> Submission from: (NULL) (213.190.88.94)
>>>>
>>>>
>>>> I use slappasswd to generate SSHA password. The issue is it behavior is
>>>> different whether I submit the password - in stdin or in command-line '-s' - and
>>>> from a secret file '-T'. Command:
>>>> slappasswd -h {SSHA}
>>>> => write 'd' twice as password
>>>> slappasswd -h {SSHA} -s d
>>>>
>>>> provides working SSHA.
>>>>
>>>> But:
>>>> echo d >/run/secrets/rootpw
>>>> slappasswd -h {SSHA} -T /run/secrets/rootpw
>>>> provides a valid SSHA, but that does not match the password.
>>>>
>>>> My multiple test are done by replacing rootpw in /etc/openldap/slapd.conf,
>>>> regenerating with:
>>>> systemctl stop slapd
>>>> sed -i -e "s,rootpw .*\$,rootpw ${ROOTPW_HASH},g" /etc/openldap/slapd.conf
>>>> slapcat -n 0 -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
>>>> systemctl start slapd
>>>> ldapsearch -D "${ROOTDN}" -w "${ROOTPW}"
>>>>
>>>> The content of the secret file can be "d" or "d\n", it does not make a
>>>> difference. Also, if I change the schema from SSHA to just a fixed salt, the
>>>> '-T' seems to work as expected:
>>>> (a) slappasswd -c 123
>>>> => write d twice
>>>> (b) slappasswd -c 123 -s 123
>>>> (c) slappasswd -c 123 -T /run/secrets/rootpw
>>>>
>>>> (a), (b) and (c) gives the exact same hash. But I cannot put a fixed salt and
>>>> use SSHA, slappasswd prevents me from that, with an error schema already
>>>> provided.
>>> Unable to reproduce, SSHA works fine here.
>>>
>>> Obviously you can't use a fixed salt with SSHA, that's the point of its salt is to
>>> be random and different every time.
>> I wanted to override the salt as a test, to check if we have the same output with a file and in command-line. But I found another way to test.
>>> When using a password in a file you must ensure the trailing '\n' is omitted. This
>>> is already documented in the manpage.
>> I did read and checked this point. I have written that I did not have a newline. But here is a simple and reproducible test, that took me some long time. In a
>> Linux machine with internet, just copy paste this:
>>
>>      docker run --name slappasswd --rm -ti centos:7 bash
>>
>>      yum install openldap-servers -y
>>
>>      cat <<EOF >/makeSecret.py
>>      import os
>>      import sys
>>      import hashlib
>>      from base64 import urlsafe_b64encode as encode
>>      from base64 import urlsafe_b64decode as decode
>>
>>      def makeSecret(password):
>>      Â Â Â  salt = os.urandom(4)
>>      Â Â Â  h = hashlib.sha1(password)
>>      Â Â Â  h.update(salt)
>>      Â Â Â  return "{SSHA}" + encode(h.digest() + salt)
>>
>>      if __name__ == '__main__':
>>      Â Â Â  print(makeSecret(sys.argv[1]))
>>      EOF
>>
>>      cat <<EOF >/checkPassword.py
>>      import os
>>      import sys
>>      import hashlib
>>      from base64 import urlsafe_b64encode as encode
>>      from base64 import urlsafe_b64decode as decode
>>
>>      def checkPassword(challenge_password, password):
>>      Â Â Â  challenge_bytes = decode(challenge_password[6:])
>>      Â Â Â  digest = challenge_bytes[:20]
>>      Â Â Â  salt = challenge_bytes[20:]
>>      Â Â Â  hr = hashlib.sha1(password)
>>      Â Â Â  hr.update(salt)
>>      Â Â Â  return digest == hr.digest()
>>
>>      if __name__ == '__main__':
>>      Â Â Â  print(checkPassword(sys.argv[1], sys.argv[2]))
>>      EOF
>>
>>      python /checkPassword.py $(python /makeSecret.py d) d
>>
>>      python /checkPassword.py $(slappasswd -s d) d
>>
>>      mkdir -p /run/secrets/
>>      echo d>/run/secrets/rootpw
>>      python /checkPassword.py $(slappasswd -T /run/secrets/rootpw) d
>>      echo Begin-$(cat /run/secrets/rootpw)-End
>>      # => shows no newline:
>>      #Begin-d-End
>>
>> It will show you that all hash works except the part with slappasswd -T, and I checked the newline.
> I've run your steps. Your test is still invalid. Learn how to use the echo command.
>
> ####
> [root@507ab0515ed6 /]# od -xc /run/secrets/rootpw
> 0000000    0a64
>            d  \n
> 0000002
> [root@507ab0515ed6 /]# echo -n d > /run/secrets/rootpw
> [root@507ab0515ed6 /]# python /checkPassword.py $(slappasswd -T /run/secrets/rootpw) d
> Warning: Password file /run/secrets/rootpw is publicly readable/writeable
> True
> [root@507ab0515ed6 /]#
> ####
>
> Closing this ITS.
>
>
>>>> I saw the same issue in another openldap mail:
>>>> https://www.openldap.org/lists/openldap-software/200805/msg00060.html but no
>>>> answer.
>>>>
>>>>
>
Prev by Date: Re: (ITS#9138)
Next by Date: (ITS#9142) LDAP Connection Close
Index(es):
- Chronological
- Thread