Re: {CRYPT} password to {SHA}

[Hallvard B Furuseth <h.b.furuseth@usit.uio.no>]

Buchan Milne writes:
>On Wednesday 04 June 2008 20:02:55 Jeroen van Aart wrote:
>> Currently we use {CRYPT} passwords. I would like to know if there is a
>> way to use {SHA} passwords.
>
> Yes. See for example the slappasswd man page.

Though why use SHA instead of the default SSHA (salted SHA)?
Even CRYPT passwords have a salt.

>> Could existing passwords be in some way
>> converted to {SHA}?
>
> Except by brute-forcing, no.

You could write an overlay to intercept Simple Bind operations:
If the current userPassword is a {CRYPT} and the user-provided
password matches it, SHA-hash the user-provided password and
replace the stored CRYPT with the new SHA.  Though this does make
it a bit dubious to claim that the new SHA hash has the strength
of SHA rather than the strength it inherited from CRYPT...

> (...)  The best option here is to change the default password hashing
> method (see the 'password-hash' directive for slapd.conf), and force
> password changes (if done via an LDAP password change extended
> operation, slapd will take care of hashing the password correctly).

And there ought to be a password expiry policy in place so users
will need to change old passwords anyway.  If LDAP is your
authorative store for passwords, see man slapo-ppolicy.

-- 
Hallvard