[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: FW: More on {CRYPT} passwords

This patch applies to libraries/liblutil/passwd.c.  It only affects code that would be called by slapd (as far as I can tell thats the only code that calls lutil_passwd_hash)

RFC3062 which describes the changepassword extended operation seemingly does not allow a user to define what sort of crypt operation they want done on the password, therefore the server must decide what crypt operation to apply.  This patch extends that.

-----Original Message-----
From: Paul Wong Peng Kai [mailto:wongpk@starhub.net.sg]
Sent: Monday, April 09, 2001 6:21 PM
To: Jeff Costlow
Cc: 'openldap-devel@openldap.org'
Subject: Re: FW: More on {CRYPT} passwords

Do youhave the patch written in perl language.

* Jeff Costlow <j.costlow@f5.com> [20010410 01:22]:
|Sorry, I am re-sending this entire message, but this time I am doing it correctly.
|This patch is:
|Copyright 2001, F5 Networks, All rights reserved. This software is not subject to any license of F5 Networks. This is free software; you can redistribute and use it under the same terms as OpenLDAP itself.
|That statement applies to the patch included below.
|Is there any discussion on this patch?  To me it seems useful, and allows clients to use ldappasswd(1) or its corresponding extended operation just a bit easier, especially since a version of crypt that does salted MD5 hashed passwords is available on quite a few systems (all systems if you use the latest version of OpenSSL)
|>  -----Original Message-----
|> From: 	Jeff Costlow  
|> Sent:	Thursday, March 29, 2001 6:17 PM
|> To:	'openldap-devel@openldap.org'
|> Subject:	More on {CRYPT} passwords
|> I would like to maintain compatability with my old .htpasswd files and to support some legacy authentication that uses the crypt(3) passwords with MD5 style hashes, i.e.
|> $1$salt$asdfjklkjfdsa
|> I've read the code, and it appears to me as if a hack to allow {CRYPT_MD5} password scheme would work, you would only have to write a new hash routine in liblutil/passwd.c hash_md5crypt() that would look almost exactly the same as hash_crypt(), except that it generates a salt that begins with $1$.  {CRYPT_MD5} could use the same chk_crypt() function as {CRYPT}
|> You could then set the default 
|> password-hash  {CRYPT_MD5}
|> in your slapd.conf, and viola all your passwords that were changed with extended operations would use the MD5 style crypt algorithm.
|> I think the hardest part would be coming up with enough information for configure to turn it on, although you could piggyback on top of the code that turns on {CRYPT}, and just assume that if a user puts {CRYPT_MD5} in slapd.conf, they must know what they are doing.  In the worst case, they get the exact same behavior as {CRYPT}, and everything still works
|> Comments?
|> (After I wrote this, I realized how easy it was, so I decided to post a patch along with this message, sorry the patch is against my local cvs repos which has 2.0.7, but it should probably take against your version, I've included some patches from code beyond 2.0.7)
|> >  <<openldap.patch>> 

Paul Wong Peng Kai
System Engineer
StarHub Internet
Tel: 8257-820
Hp : 98590792

Fix Open-Relay via http://www.mail-abuse.com/tsi/ar-fix.html