Directory Studio
  1. Directory Studio
  2. DIRSTUDIO-738

Modular Crypt Format Salts are incorrectly displayed

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Minor Minor
    • Resolution: Unresolved
    • Affects Version/s: 1.5.3
    • Fix Version/s: 2.0.0-M11
    • Component/s: studio-ldapbrowser
    • Labels:
      None
    • Environment:
      Ubuntu 11.04, Eclipse Indigo

      Description

      CRYPT passwords embed multiple values into a single field, in particular the algorithm and the salt used. This method is known as Modular Crypt Format
      http://www.tummy.com/journals/entries/jafo_20110117_054918

      When given a userPassword field described using this system, the "show password details" display on the value editor gets the salt wrong and fails to verify.

        Activity

        Hide
        Stefan Seelmann added a comment -

        Can you explain how salts should be displayed? Do you mean they should be be prefixed with "$x$"? In LDAP the passwords are prefixed with "

        {schema}

        " which is defined in RFC 2307 http://tools.ietf.org/html/rfc2307#section-5.3

        Show
        Stefan Seelmann added a comment - Can you explain how salts should be displayed? Do you mean they should be be prefixed with "$x$"? In LDAP the passwords are prefixed with " {schema} " which is defined in RFC 2307 http://tools.ietf.org/html/rfc2307#section-5.3
        Hide
        Frank Fischer added a comment - - edited

        Old issue, but I encounter the same problem in all versions up to 2.0.0-M10

        The modular crypt format embeds the hashing algorythm used, the salt and the hash.

        man crypt 3
                    ID     | Method
                    ─────────────────────────────────────────────────────────
                      1    | MD5
                      2a   | Blowfish (not in mainline glibc; added in some Linux distributions)
                      5    | SHA-256 (since glibc 2.7)
                      6    | SHA-512 (since glibc 2.7)
        
        Example
        
        $6$af1ae9db$VizZoRwsguLHJsl4cGT4/mJKrcXVemgIVoEGLhRjIH56bMgxcnNlzeL91B9c/jHVI0jZzDircJgYuYc/Jn49.1
        
                $6$ : SHA-512 is used
           af1ae9db : Salt
        Viz...n49.1 : Hash(shortended for clarification) (cleartext: 'secret')
        

        If you put now the value from the example into a userPassword field of openLDAP like this

        {CRYPT}$6$af1ae9db$VizZoRwsguLHJsl4cGT4/mJKrcXVemgIVoEGLhRjIH56bMgxcnNlzeL91B9c/jHVI0jZzDircJgYuYc/Jn49.1

        and openldap is running on a linux system having glibc >= 2.7, then the authentication works, but DirectoryStudio is not able to verifiy the password, nor to display the salt.

        Judging from CODEC-133 and reading https://commons.apache.org/proper/commons-codec/apidocs/org/apache/commons/codec/digest/Crypt.html parts of the needed functionality is already available in java.

        Show
        Frank Fischer added a comment - - edited Old issue, but I encounter the same problem in all versions up to 2.0.0-M10 The modular crypt format embeds the hashing algorythm used, the salt and the hash. man crypt 3 ID | Method ───────────────────────────────────────────────────────── 1 | MD5 2a | Blowfish (not in mainline glibc; added in some Linux distributions) 5 | SHA-256 (since glibc 2.7) 6 | SHA-512 (since glibc 2.7) Example $6$af1ae9db$VizZoRwsguLHJsl4cGT4/mJKrcXVemgIVoEGLhRjIH56bMgxcnNlzeL91B9c/jHVI0jZzDircJgYuYc/Jn49.1 $6$ : SHA-512 is used af1ae9db : Salt Viz...n49.1 : Hash(shortended for clarification) (cleartext: 'secret') If you put now the value from the example into a userPassword field of openLDAP like this {CRYPT}$6$af1ae9db$VizZoRwsguLHJsl4cGT4/mJKrcXVemgIVoEGLhRjIH56bMgxcnNlzeL91B9c/jHVI0jZzDircJgYuYc/Jn49.1 and openldap is running on a linux system having glibc >= 2.7, then the authentication works, but DirectoryStudio is not able to verifiy the password, nor to display the salt. Judging from CODEC-133 and reading https://commons.apache.org/proper/commons-codec/apidocs/org/apache/commons/codec/digest/Crypt.html parts of the needed functionality is already available in java.

          People

          • Assignee:
            Unassigned
            Reporter:
            Justin Dugger
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:

              Development