[Date Prev][Date Next] [Chronological] [Thread] [Top]

SSHA hashed passwords && retrieving the salt

To: openldap-technical@openldap.org
Subject: SSHA hashed passwords && retrieving the salt
From: Matthias Apitz <guru@unixarea.de>
Date: Wed, 15 Jan 2014 09:20:07 +0100
Content-disposition: inline
User-agent: Mutt/1.5.21 (2010-09-15)

Hello,

I want to understand how to retrieve the 'salt' which was used by the
LDAP server to hash a user's password with seeded sha1, i.e. SSHA;

when I do a ldapsearch from the UNIX cmd line I get the attribute as:

$ ldapsearch -h 10.45.xx.xx -p 389 -x -D ... 'cn=jrXXXXX'
...
dn: cn=jrXXXXX,ou=user,ou=....
userPassword:: e1NTSEF9TWd3ZmtxQ25HdTJYVXZtVzNzTm5yWjlwVjBUSmwvQ0Q=
...

the above string I can decode with:

$ echo -n 'e1NTSEF9TWd3ZmtxQ25HdTJYVXZtVzNzTm5yWjlwVjBUSmwvQ0Q=' | mmencode -u
{SSHA}MgwfkqCnGu2XUvmW3sNnrZ9pV0TJl/CD

but now I'm lost how to retrieve the 'salt' from it :-(

I have google'd around and see examples for this like in

http://www.pressinganswer.com/444023/how-can-i-retrieve-a-salt-from-ldap

<CITED ON>
With SSHA, normally the salt is appended to the SHA1 hash and then the
whole thing is Base64 encoded (I've never seen an LDAP that didn't do
SSHA this way). You should be
able to tell this by looking at the userPassword attribute. If it's 28
character long with a = at the end, it's only the hash.

If the Base64 value is 32 character long or greater, it contains both
the hash and the salt. Base64 decode the value and strip off the first
20 bytes, this is the SHA1 hash. The remaining bytes are the salt.

Example:

                     Base64 encoded hash with salt
userPassword: {SSHA}MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0

Base64 decoded value
     SHA1 Hash      Salt
--------------------++++
123456789012345678901234
<CITED OFF>

I can repeat the given example with:

$ echo -n 'MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0' | mmencode -u
123456789012345678901234

but when I run the original string through decode, I get only binary nonsense from:

echo -n 'MgwfkqCnGu2XUvmW3sNnrZ9pV0TJl/CD' | mmencode -u
2
  §íRùÞÃgð

What I do wrong or what I'm missing here?

The used 'mmencode' is on FreeBSD 10-CURRENT from a pkg:

$ pkg_info -W /usr/local/bin/mmencode
/usr/local/bin/mmencode was installed by package metamail-2.7_9

if this does any matter.

Thanks

	matthias


-- 
Matthias Apitz               |  /"\ ASCII Ribbon Campaign: www.asciiribbon.org
E-mail: guru@unixarea.de     |  \ / - No HTML/RTF in E-mail
WWW: http://www.unixarea.de/ |   X  - No proprietary attachments
phone: +49-170-4527211       |  / \ - Respect for open standards

Follow-Ups:
- Antw: SSHA hashed passwords && retrieving the salt
  - From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>

Prev by Date: Re: java API for SAML integration
Next by Date: Antw: N-Way-Multimaster Configuration
Index(es):
- Chronological
- Thread