Re: Valid chars in salt of passwords

[Michael Ströder <michael@stroeder.com>]

"Kurt D. Zeilenga" wrote:
> 
> At 03:19 PM 7/4/2001, Michael Ströder wrote:
> >What are the valid characters I can use for the salt value of
> >{CRYPT}, {SMD5} and {SSHA}?
>
> Note that RFC 2307 does not describe {SMD5} or {SSHA}.

Ooops. I had "RFC2307bis" at hand. This version mentions {SMD5} and
{SSHA} but says nothing about how to exactly compute it.
(INTERNET-DRAFT 1 March 1999, probably never made it...)

> The salts for can be any octet sequence.

This was not clear to me and I couldn't figure it out from any
document and example I scanned.

> {CRYPT} uses whatever salt your crypt(3) allows.

OS-dependent! (sigh)

> The FAQ provides additional information on how to generate
> various schemes (including example code and links to various
> other documents).
>   http://www.openldap.org/faq/index.cgi?file=419

The examples for {SMD5} and {SSHA} only passes a string 'salt' and
do not mention that salt can be any octet string.

More questions:

Additionally I cannot figure out the maximum valid length of the
salt for {SMD5} and {SSHA}. slappasswd seems to use 4 bytes.

Regarding Perl example on
http://www.openldap.org/faq/data/cache/347.html:

print '{SHA}' . encode_base64($ctx->digest . 'salt' ,'') . "\n";

Does that mean that the trailing new line must be present? Up to now
I thought I should strip it off.

Ciao, Michael.