[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: {CRYPT} password to {SHA}

Buchan Milne writes:
>On Wednesday 04 June 2008 20:02:55 Jeroen van Aart wrote:
>> Currently we use {CRYPT} passwords. I would like to know if there is a
>> way to use {SHA} passwords.
> Yes. See for example the slappasswd man page.

Though why use SHA instead of the default SSHA (salted SHA)?
Even CRYPT passwords have a salt.

>> Could existing passwords be in some way
>> converted to {SHA}?
> Except by brute-forcing, no.

You could write an overlay to intercept Simple Bind operations:
If the current userPassword is a {CRYPT} and the user-provided
password matches it, SHA-hash the user-provided password and
replace the stored CRYPT with the new SHA.  Though this does make
it a bit dubious to claim that the new SHA hash has the strength
of SHA rather than the strength it inherited from CRYPT...

> (...)  The best option here is to change the default password hashing
> method (see the 'password-hash' directive for slapd.conf), and force
> password changes (if done via an LDAP password change extended
> operation, slapd will take care of hashing the password correctly).

And there ought to be a password expiry policy in place so users
will need to change old passwords anyway.  If LDAP is your
authorative store for passwords, see man slapo-ppolicy.