Check LDAP password with SHA512

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed Jan 27 23:19:39 CET 2016


> On Jan 27, 2016, at 5:13 PM, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
> 
>> 
>> On Jan 27, 2016, at 5:08 PM, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
>> 
>> 
>>> On Jan 27, 2016, at 4:36 PM, Will W. <will at damagesinc.net> wrote:
>>> 
>>> Question
>>> With Start_TLS yes
>>> this is enabling the Freeradius to connect to the LDAP server over a TLS tunnel correct?
>> 
>> Yes, the connection starts off as plaintext, then the ldap client requests to establish a TLS tunnel.
>> 
>> Map looks OK.  You need to run ldapsearch with this invocation to see if the userPassword is being returned:
>> 
>> ldapsearch -H ldap://ldap.myhost.com:389 —ZZ x -b "ou=Users,dc=myhost,dc=com" -D "uid=demouser,ou=Users,dc=myhost,dc=com" -w testing123 "(objectClass=posixGroup)" userPassword
> 
> Here are the headers and what they map to:
> 
> /*
> *	For auto-header discovery.
> *
> *	@note Header comparison is case insensitive.
> */
> static const FR_NAME_NUMBER header_names[] = {
> 	{ "{clear}",		PW_CLEARTEXT_PASSWORD },
> 	{ "{cleartext}",	PW_CLEARTEXT_PASSWORD },
> 	{ "{md5}",		PW_MD5_PASSWORD },
> 	{ "{base64_md5}",	PW_MD5_PASSWORD },
> 	{ "{smd5}",		PW_SMD5_PASSWORD },
> 	{ "{crypt}",		PW_CRYPT_PASSWORD },
> #ifdef HAVE_OPENSSL_EVP_H
> 	/*
> 	 *	It'd make more sense for the headers to be
> 	 *	ssha2-* with SHA3 coming soon but we're at
> 	 *	the mercy of directory implementors.
> 	 */
> 	{ "{sha2}",		PW_SHA2_PASSWORD },
> 	{ "{sha224}",		PW_SHA2_PASSWORD },
> 	{ "{sha256}",		PW_SHA2_PASSWORD },
> 	{ "{sha384}",		PW_SHA2_PASSWORD },
> 	{ "{sha512}",		PW_SHA2_PASSWORD },
> 	{ "{ssha224}",		PW_SSHA2_224_PASSWORD },
> 	{ "{ssha256}",		PW_SSHA2_256_PASSWORD },
> 	{ "{ssha384}",		PW_SSHA2_384_PASSWORD },
> 	{ "{ssha512}",		PW_SSHA2_512_PASSWORD },
> #endif
> 	{ "{sha}",		PW_SHA_PASSWORD },
> 	{ "{ssha}",		PW_SSHA_PASSWORD },
> 	{ "{md4}",		PW_NT_PASSWORD },
> 	{ "{nt}",		PW_NT_PASSWORD },
> 	{ "{nthash}",		PW_NT_PASSWORD },
> 	{ "{x-nthash}",		PW_NT_PASSWORD },
> 	{ "{ns-mta-md5}",	PW_NS_MTA_MD5_PASSWORD },
> 	{ "{x- orcllmv}",	PW_LM_PASSWORD },
> 	{ "{X- orclntv}",	PW_NT_PASSWORD },
> 	{ NULL, 0 }
> };
> 
> You need to call the pap module in authorize after the LDAP module in order to strip the header and perform the conversion.
> 
> It also does a bunch of normalisation.  It could be you have the modules in the wrong order, pap then ldap when you need ldap then pap.

Finally, you probably want ssha512 not sha512.  It'll be more complex to implement, but in reality sha512 will likely give you less protection than ssha.  It's fairly trivial to generate rainbow tables, the bigger hash size just means you need more disk space :)

Get sha512 working first though, and worry about the salting later.

-Arran


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160127/45a4233a/attachment.sig>


More information about the Freeradius-Users mailing list