Re: Valid chars in salt of passwords

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 04:57 PM 7/4/2001, Michael Ströder wrote:
>> {CRYPT} uses whatever salt your crypt(3) allows.
>
>OS-dependent! (sigh)

As some 3rd party libraries (such as OpenSSL) provide
alternative versions of crypt(3), you cannot even rely on
crypt(3) be consistent upon a particular platform.
{CRYPT} should be avoided.

>> The FAQ provides additional information on how to generate
>> various schemes (including example code and links to various
>> other documents).
>>   http://www.openldap.org/faq/index.cgi?file=419
>
>The examples for {SMD5} and {SSHA} only passes a string 'salt' and
>do not mention that salt can be any octet string.

Both SHA1, MD5, and base64 operate on octet strings.  The
lack of any restrictive statement should imply no restriction.
'salt' was used solely for readability.

>More questions:
>
>Additionally I cannot figure out the maximum valid length of the
>salt for {SMD5} and {SSHA}.

I don't believe a maximum length for the salt.

>slappasswd seems to use 4 bytes.

Yes.

>Regarding Perl example on
>http://www.openldap.org/faq/data/cache/347.html:
>
>print '{SHA}' . encode_base64($ctx->digest . 'salt' ,'') . "\n";
>
>Does that mean that the trailing new line must be present?

No.  The "\n" is not part of the value.  It's just making the
output pretty.  I've updated the examples for clarification.