On 04/09/2011 05:23 PM, harry.jede@arcor.de wrote:
I find those hard to read, so:
$ echo e01ENX1pMjcvdjYyeEFvNmI4R212YUdQeDZ3PT0= | openssl enc -d -base64 {MD5}i27/v62xAo6b8GmvaGPx6w==
$ echo e2NyeXB0fSQxJER1VDNiMEtQJE1GNmQ5UGo4YXhSQXp0RW9VNDVUNDA= | openssl enc -d -base64 {crypt}$1$DuT3b0KP$MF6d9Pj8axRAztEoU45T40
I did tried to add the md5 variable in the pam stack but unsuccessfully,
No, no, $1$ at the beginnig of the password hash indicates, crypt's implementation of md5. And this has nothing to do with MD5 hashes,
Thanks for the clarification, didn't know it
I also tried to change the authconfig command to generate md5 passwords but they didn't fit the ones in the server.
A common misunderstanding,
From "man slappasswd"
-c crypt-salt-format
Specify the format of the salt passed to crypt(3) when generat‐ ing {CRYPT} passwords. This string needs to be in sprintf(3) format and may include one (and only one) %s conversion. This conversion will be substituted with a string random characters from [A-Za-z0-9./]. For example, ’%.2s’ provides a two charac‐ ter salt and ’$1$%.8s’ tells some versions of crypt(3) to use an MD5 algorithm and provides 8 random characters of salt. The default is ’%s’, which provides 31 characters of salt.
If you set in slapd.conf: password-crypt-salt-format '$1$%.8s'
then the password is stored in crypt's md5 format.
But normaly that is not what you want. Even with md5 is crypt much weaker then ssha. Only if you have really old unices in your network you should use crypt.
considering your words I will go for ssha passwords, I'll try to figure out how to do it, after all tests I don't know how to change this. At least i could see that the password exop option in the pam_ldap.conf lets the server to apply the security to the password, so I think I can change it within the slapd.conf file. do you suggest to use salt?
Thanks a lot for your help, j