Uploaded image for project: 'Directory Studio'
  1. Directory Studio
  2. DIRSTUDIO-738

Modular Crypt Format Salts are incorrectly displayed

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.5.3
    • Fix Version/s: 2.0.0-M11, 2.0.0-M12
    • Component/s: studio-ldapbrowser
    • Labels:
      None
    • Environment:
      Ubuntu 11.04, Eclipse Indigo

      Description

      CRYPT passwords embed multiple values into a single field, in particular the algorithm and the salt used. This method is known as Modular Crypt Format
      http://www.tummy.com/journals/entries/jafo_20110117_054918

      When given a userPassword field described using this system, the "show password details" display on the value editor gets the salt wrong and fails to verify.

        Issue Links

          Activity

          Hide
          seelmann Stefan Seelmann added a comment -

          Can you explain how salts should be displayed? Do you mean they should be be prefixed with "$x$"? In LDAP the passwords are prefixed with "

          {schema}

          " which is defined in RFC 2307 http://tools.ietf.org/html/rfc2307#section-5.3

          Show
          seelmann Stefan Seelmann added a comment - Can you explain how salts should be displayed? Do you mean they should be be prefixed with "$x$"? In LDAP the passwords are prefixed with " {schema} " which is defined in RFC 2307 http://tools.ietf.org/html/rfc2307#section-5.3
          Hide
          frankfischer Frank Fischer added a comment - - edited

          Old issue, but I encounter the same problem in all versions up to 2.0.0-M10

          The modular crypt format embeds the hashing algorythm used, the salt and the hash.

          man crypt 3
                      ID     | Method
                      ─────────────────────────────────────────────────────────
                        1    | MD5
                        2a   | Blowfish (not in mainline glibc; added in some Linux distributions)
                        5    | SHA-256 (since glibc 2.7)
                        6    | SHA-512 (since glibc 2.7)
          
          Example
          
          $6$af1ae9db$VizZoRwsguLHJsl4cGT4/mJKrcXVemgIVoEGLhRjIH56bMgxcnNlzeL91B9c/jHVI0jZzDircJgYuYc/Jn49.1
          
                  $6$ : SHA-512 is used
             af1ae9db : Salt
          Viz...n49.1 : Hash(shortended for clarification) (cleartext: 'secret')
          

          If you put now the value from the example into a userPassword field of openLDAP like this

          {CRYPT}$6$af1ae9db$VizZoRwsguLHJsl4cGT4/mJKrcXVemgIVoEGLhRjIH56bMgxcnNlzeL91B9c/jHVI0jZzDircJgYuYc/Jn49.1

          and openldap is running on a linux system having glibc >= 2.7, then the authentication works, but DirectoryStudio is not able to verifiy the password, nor to display the salt.

          Judging from CODEC-133 and reading https://commons.apache.org/proper/commons-codec/apidocs/org/apache/commons/codec/digest/Crypt.html parts of the needed functionality is already available in java.

          Show
          frankfischer Frank Fischer added a comment - - edited Old issue, but I encounter the same problem in all versions up to 2.0.0-M10 The modular crypt format embeds the hashing algorythm used, the salt and the hash. man crypt 3 ID | Method ───────────────────────────────────────────────────────── 1 | MD5 2a | Blowfish (not in mainline glibc; added in some Linux distributions) 5 | SHA-256 (since glibc 2.7) 6 | SHA-512 (since glibc 2.7) Example $6$af1ae9db$VizZoRwsguLHJsl4cGT4/mJKrcXVemgIVoEGLhRjIH56bMgxcnNlzeL91B9c/jHVI0jZzDircJgYuYc/Jn49.1 $6$ : SHA-512 is used af1ae9db : Salt Viz...n49.1 : Hash(shortended for clarification) (cleartext: 'secret') If you put now the value from the example into a userPassword field of openLDAP like this {CRYPT}$6$af1ae9db$VizZoRwsguLHJsl4cGT4/mJKrcXVemgIVoEGLhRjIH56bMgxcnNlzeL91B9c/jHVI0jZzDircJgYuYc/Jn49.1 and openldap is running on a linux system having glibc >= 2.7, then the authentication works, but DirectoryStudio is not able to verifiy the password, nor to display the salt. Judging from CODEC-133 and reading https://commons.apache.org/proper/commons-codec/apidocs/org/apache/commons/codec/digest/Crypt.html parts of the needed functionality is already available in java.
          Show
          seelmann Stefan Seelmann added a comment - Implemented here: http://svn.apache.org/viewvc?rev=1731675&view=rev http://svn.apache.org/viewvc?rev=1731680&view=rev http://svn.apache.org/viewvc?rev=1731681&view=rev http://svn.apache.org/viewvc?rev=1731682&view=rev

            People

            • Assignee:
              seelmann Stefan Seelmann
              Reporter:
              jldugger Justin Dugger
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development