I have slapd configured with password-hash {SSHA}. I'm uusing slappasswd to generate passwords and notice that if I run it twice with the same secret that I get different results. I guess I don't understand this, but how does slapd verify a password if each time I generate it I get something different?
Confused!
\Greg
$OpenLDAP: slapd 2.3.27 (Oct 13 2006 09:16:43)
Greg,
I imagine it uses a password salting technique (see http://en.wikipedia.org/wiki/Password_salting) in order to better protect the hashed password from a precompiled dictionary attack. If password salting is used the salt is comonly stored as the prefix of the value you see.
Andrew
Interesting concept. So if I generate a SSHA hash and do not specify a salt, does slappasswd pick one? Any idea how long it is?
Thanks,
\Greg
Andrew Kay wrote:
Greg,
I imagine it uses a password salting technique (see http://en.wikipedia.org/wiki/Password_salting) in order to better protect the hashed password from a precompiled dictionary attack. If password salting is used the salt is comonly stored as the prefix of the value you see.
Andrew
Greg,
According to
http://www.openldap.org/devel/cvsweb.cgi/~checkout~/libraries/liblutil/passw...
the salt is 4 bytes long. You don't specify a salt, a salt is randomly generated when your password is hashed.
Andrew
Andrew Kay wrote:
Greg,
According to
http://www.openldap.org/devel/cvsweb.cgi/~checkout~/libraries/liblutil/passw...
The actual definition of SSHA comes from Netscape. You can get some info in the FAQ. http://www.openldap.org/faq/index.cgi?file=347
the salt is 4 bytes long. You don't specify a salt, a salt is randomly generated when your password is hashed.
Pretty standard practice for password hashing. (E.g., old Unix crypt uses a two character salt.)
openldap-software@openldap.org
-
Andrew Kay -
Greg Martin -
Howard Chu