[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldiftopasswd: Can it be done with SSHA hashes?

On Thu, Nov 5, 2015 at 9:45 AM, Andrew Findlay
<andrew.findlay@skills-1st.co.uk> wrote:
>
> On Wed, Nov 04, 2015 at 04:45:28PM +0000, Chuck Peters wrote:
>
> > Most of the users passwords are in crypt format.  I found a perl one liner to base64 decode those passwords hashes.  (1)
>
> By 'crypt format' do you mean the old Unix 13-char DES-based hash, or one of
> the newer ones? At present you should really only be using the newer
> multi-round hashes, with this order of preference:

It's the old Unix hash.  If it were up to me, we would be requiring
all users change their password and update the hash to SHA512.

> Beware of old distros as they may not support all of the hash formats.

I modified a passwd shell script which outputs a file with the SHA512
hash, so it is supported to some degree, but may not work for LDAP.

> Why do you need a passwd/shadow file in the first place? Surely it is much
> better to set your systems up to validate logins against LDAP directly.
> That way the only thing that needs to care about hash formats is the LDAP
> server process.

Resources is the short answer.  It's only one system currently and
kind of a mess.  Originally their were two systems, but system crashes
and lack of resources...  It's a small non-profit where we do not want
most of our users sharing LDAP info.  We need to upgrade the old
Debian OS and we are migrating to a VPS.  Feb is technically when
Debian LTS support ends, and it is two OS upgrades behind.

Volunteers are working on the migration, and the only one with real
LDAP experience is volunteering primarily in an advisory capacity.  I
have been running Linux mail systems since 96, but I have very little
experience with LDAP.  The non-profit board of directors wants
migration done ahead of other priorities, so I want to take my time to
learn LDAP and avoid potential problems caused by our legacy mess and
inexperienced people attempting to migrate and upgrade LDAP.  Once we
migrate, we can put the old system behind a firewall and take our time
migrating/upgrading LDAP.

I noticed your site http://www.skills-1st.co.uk/ has some good
resources.  It would be great if we had someone with your skills and
experience volunteering!

One question I haven't completely figured out is how we have 16 users
with the SSHA hashes because 10 of them have never accessed the shell
where the passwd script results in the SSHA hash.  The two other
options for changing passwords are through the web using poppassd
within webmail, and some old custom php code, and they both produce
crypt hashes.  If a user has the SSHA format, they can't login to the
old php interface.  Password changes within webmail work, but the user
sees "ERROR:255".   And this issue seems minor compared to others we
have...


Thanks,
Chuck