Directory Studio
  1. Directory Studio
  2. DIRSTUDIO-738

Modular Crypt Format Salts are incorrectly displayed

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 1.5.3
    • Fix Version/s: 2.0.0-M11
    • Component/s: studio-ldapbrowser
    • Labels:
      None
    • Environment:
      Ubuntu 11.04, Eclipse Indigo

      Description

      CRYPT passwords embed multiple values into a single field, in particular the algorithm and the salt used. This method is known as Modular Crypt Format
      http://www.tummy.com/journals/entries/jafo_20110117_054918

      When given a userPassword field described using this system, the "show password details" display on the value editor gets the salt wrong and fails to verify.

        Issue Links

          Activity

          Hide
          Stefan Seelmann added a comment -

          Can you explain how salts should be displayed? Do you mean they should be be prefixed with "$x$"? In LDAP the passwords are prefixed with "

          {schema}

          " which is defined in RFC 2307 http://tools.ietf.org/html/rfc2307#section-5.3

          Show
          Stefan Seelmann added a comment - Can you explain how salts should be displayed? Do you mean they should be be prefixed with "$x$"? In LDAP the passwords are prefixed with " {schema} " which is defined in RFC 2307 http://tools.ietf.org/html/rfc2307#section-5.3
          Hide
          Frank Fischer added a comment - - edited

          Old issue, but I encounter the same problem in all versions up to 2.0.0-M10

          The modular crypt format embeds the hashing algorythm used, the salt and the hash.

          man crypt 3
                      ID     | Method
                      ─────────────────────────────────────────────────────────
                        1    | MD5
                        2a   | Blowfish (not in mainline glibc; added in some Linux distributions)
                        5    | SHA-256 (since glibc 2.7)
                        6    | SHA-512 (since glibc 2.7)
          
          Example
          
          $6$af1ae9db$VizZoRwsguLHJsl4cGT4/mJKrcXVemgIVoEGLhRjIH56bMgxcnNlzeL91B9c/jHVI0jZzDircJgYuYc/Jn49.1
          
                  $6$ : SHA-512 is used
             af1ae9db : Salt
          Viz...n49.1 : Hash(shortended for clarification) (cleartext: 'secret')
          

          If you put now the value from the example into a userPassword field of openLDAP like this

          {CRYPT}$6$af1ae9db$VizZoRwsguLHJsl4cGT4/mJKrcXVemgIVoEGLhRjIH56bMgxcnNlzeL91B9c/jHVI0jZzDircJgYuYc/Jn49.1

          and openldap is running on a linux system having glibc >= 2.7, then the authentication works, but DirectoryStudio is not able to verifiy the password, nor to display the salt.

          Judging from CODEC-133 and reading https://commons.apache.org/proper/commons-codec/apidocs/org/apache/commons/codec/digest/Crypt.html parts of the needed functionality is already available in java.

          Show
          Frank Fischer added a comment - - edited Old issue, but I encounter the same problem in all versions up to 2.0.0-M10 The modular crypt format embeds the hashing algorythm used, the salt and the hash. man crypt 3 ID | Method ───────────────────────────────────────────────────────── 1 | MD5 2a | Blowfish (not in mainline glibc; added in some Linux distributions) 5 | SHA-256 (since glibc 2.7) 6 | SHA-512 (since glibc 2.7) Example $6$af1ae9db$VizZoRwsguLHJsl4cGT4/mJKrcXVemgIVoEGLhRjIH56bMgxcnNlzeL91B9c/jHVI0jZzDircJgYuYc/Jn49.1 $6$ : SHA-512 is used af1ae9db : Salt Viz...n49.1 : Hash(shortended for clarification) (cleartext: 'secret') If you put now the value from the example into a userPassword field of openLDAP like this {CRYPT}$6$af1ae9db$VizZoRwsguLHJsl4cGT4/mJKrcXVemgIVoEGLhRjIH56bMgxcnNlzeL91B9c/jHVI0jZzDircJgYuYc/Jn49.1 and openldap is running on a linux system having glibc >= 2.7, then the authentication works, but DirectoryStudio is not able to verifiy the password, nor to display the salt. Judging from CODEC-133 and reading https://commons.apache.org/proper/commons-codec/apidocs/org/apache/commons/codec/digest/Crypt.html parts of the needed functionality is already available in java.
          Show
          Stefan Seelmann added a comment - Implemented here: http://svn.apache.org/viewvc?rev=1731675&view=rev http://svn.apache.org/viewvc?rev=1731680&view=rev http://svn.apache.org/viewvc?rev=1731681&view=rev http://svn.apache.org/viewvc?rev=1731682&view=rev

            People

            • Assignee:
              Stefan Seelmann
              Reporter:
              Justin Dugger
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development