Re: SSHA hash are stores as '{ssha}......' and '{SSHA}......'

[Andrew Findlay <andrew.findlay@skills-1st.co.uk>]

On Tue, Sep 29, 2015 at 09:31:20AM +0200, Matthias Apitz wrote:

> I do not know (the Java classes have beed written by others) why we do
> not just doe bind, What what is wrong with our method.

It requires read access to the password hash, which is a security risk.
Most LDAP deployments prevent *anyone* from reading password hashes (except
for the replication user etc).

Hashing passwords and verifying them should be left to the LDAP server.

Note also that SSHA is very weak in the face of brute-force attacks.
You should be trying to use one of the hash schemes that were designed
specifically to protect passwords. BCRYPT is probably the best, but any
of the Linux $1$, $6$, $2a$ schemes will give immensely more protection
than plain SSHA.

> This part is not below our control. The LDAP is managed by some customer
> and I *think* the use some Perl script to create the user credentials in
> LDAP, calculating tha SSHA hash in advance.

Advise them to create the entry without a password hash, then to set
the password using the password-change extended operation.

See Net::LDAP::Extension::SetPassword for details.


Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------