Section 14.4.1 of the OpenLDAP admin guide: "This is the salted version of the SHA scheme. It is believed to be the most secure password storage scheme supported by slapd." http://www.openldap.org/doc/admin24/security.html#SSHA%20password%20storage%20scheme Attached are two patches that add read and write support for SSHA-1. We've been running this code in production for nine months now and with no hiccups, on a platform with ~120,000 customers. I imagine the write support belongs further upstream as it patches support/ht{passwd,dbm}.c, but since it relies on a patched apr-util, I'll post it here instead. Why, apart from security, is this useful? I can present at least one use case (ours): when migrating from LDAP-based authentication to .htaccess authentication.
Created attachment 23621 [details] SSHA-1 read support.
Created attachment 23622 [details] SSHA-1 write support.
(In reply to comment #0) > Why, apart from security, is this useful? I can present at least one use > case (ours): when migrating from LDAP-based authentication to .htaccess > authentication. AFAICS, SSHA-1 uses only one round of SHA-1, so it's rather insecure. I don't want to add more insecure hash algorithms to htpasswd. But I would accept the use case of moving from LDAP-based authentication to file based authentication. But for that, only the verify ("read") support would be needed. Do you agree that verify support alone would be useful?