Hello all,We've just noticed that when a user authenticates via LDAP, it ignores characters after the right password. For example a user jkc900 has Password Welcome1 But the user can type in Welcome1111 or Welcome12 etc and still can get into the application. Its just checking the first Welcome1 and they can type anything after that and still can log in. We've tested at least 50 users and they all have the same issues. Any clues/ solution for this? Your inputs are highly appreciated. Jeevan
You neglected to say which password encryption scheme you were using but if I was going to guess, based on your question, you are using crypt. Suggest you use SSHA
Craig White System Administrator O 623-201-8179 M 602-377-9752
[cid:image001.png@01CF86FE.42D51630]
SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of jeevan kc Sent: Thursday, May 14, 2015 2:03 PM To: openldap-technical@openldap.org Subject: Openldap password problems
Hello all, We've just noticed that when a user authenticates via LDAP, it ignores characters after the right password. For example a user jkc900 has Password Welcome1 But the user can type in Welcome1111 or Welcome12 etc and still can get into the application. Its just checking the first Welcome1 and they can type anything after that and still can log in. We've tested at least 50 users and they all have the same issues. Any clues/ solution for this?
Your inputs are highly appreciated. Jeevan
You're absolutely right Craig. It's using crypt . Any way I can change it to SHA hashed ? Thanks
Jeevan
From: CWhite@skytouchtechnology.com To: jeev_biz@hotmail.com; openldap-technical@openldap.org Subject: RE: Openldap password problems Date: Thu, 14 May 2015 21:05:54 +0000
You neglected to say which password encryption scheme you were using but if I was going to guess, based on your question, you are using crypt. Suggest you use SSHA
Craig White System Administrator O 623-201-8179 M 602-377-9752
SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of jeevan kc
Sent: Thursday, May 14, 2015 2:03 PM
To: openldap-technical@openldap.org
Subject: Openldap password problems
Hello all,
We've just noticed that when a user authenticates via LDAP, it ignores characters after the right password.
For example a user jkc900 has Password Welcome1
But the user can type in Welcome1111 or Welcome12 etc and still can get into the application. Its just checking the first Welcome1 and they can type anything after that and still can log in. We've tested at least 50 users and they all have the same issues. Any clues/ solution for this?
Your inputs are highly appreciated.
Jeevan
--On Thursday, May 14, 2015 10:02 PM +0000 jeevan kc jeev_biz@hotmail.com wrote:
Hello all, We've just noticed that when a user authenticates via LDAP, it ignores characters after the right password. For example a user jkc900 has Password Welcome1
What password hashing mechanism are you using?
"Welcome1" is exactly 8 characters. Older, insecure hashes only treat the first 8 characters as significant.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Thanks Quanah, It shows up as crypt hashed. Is there any way I can change it to SHA hashed ?
Jeevan
Date: Thu, 14 May 2015 14:07:01 -0700 From: quanah@zimbra.com To: jeev_biz@hotmail.com; openldap-technical@openldap.org Subject: Re: Openldap password problems
--On Thursday, May 14, 2015 10:02 PM +0000 jeevan kc jeev_biz@hotmail.com wrote:
Hello all, We've just noticed that when a user authenticates via LDAP, it ignores characters after the right password. For example a user jkc900 has Password Welcome1
What password hashing mechanism are you using?
"Welcome1" is exactly 8 characters. Older, insecure hashes only treat the first 8 characters as significant.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc.
Zimbra :: the leader in open source messaging and collaboration
--On Thursday, May 14, 2015 10:15 PM +0000 jeevan kc jeev_biz@hotmail.com wrote:
Thanks Quanah, It shows up as crypt hashed. Is there any way I can change it to SHA hashed ?
OpenLDAP defaults to using SSHA, so your configuration must have changed that to using crypt. I'd suggest modifying your configurations to default back to SSHA (I personally use SSHA-512 these days with the sha2 contrib module).
You don't note your OpenLDAP release, which would also be useful information.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Openldap version is 2.4.30. When I check the configuration inside cn=config I found this [root@lap00617 cn=config]# cat olcDatabase={-1}frontend.ldifdn: olcDatabase={-1}frontendobjectClass: olcDatabaseConfigobjectClass: olcFrontendConfigolcDatabase: {-1}frontendolcAddContentAcl: FALSEolcLastMod: TRUEolcMaxDerefDepth: 0olcReadOnly: FALSEolcSchemaDN: cn=SubschemaolcSizeLimit: 1500olcSyncUseSubentry: FALSEolcMonitoring: FALSEolcPasswordHash: {CRYPT}
Should I change this CRYPT to SSHA ? Thanks, Quanah
Jeevan
Date: Thu, 14 May 2015 14:27:19 -0700 From: quanah@zimbra.com To: jeev_biz@hotmail.com; openldap-technical@openldap.org Subject: RE: Openldap password problems
--On Thursday, May 14, 2015 10:15 PM +0000 jeevan kc jeev_biz@hotmail.com wrote:
Thanks Quanah, It shows up as crypt hashed. Is there any way I can change it to SHA hashed ?
OpenLDAP defaults to using SSHA, so your configuration must have changed that to using crypt. I'd suggest modifying your configurations to default back to SSHA (I personally use SSHA-512 these days with the sha2 contrib module).
You don't note your OpenLDAP release, which would also be useful information.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc.
Zimbra :: the leader in open source messaging and collaboration
--On Thursday, May 14, 2015 10:33 PM +0000 jeevan kc jeev_biz@hotmail.com wrote:
Openldap version is 2.4.30. When I check the configuration inside cn=config I found this
olcPasswordHash: {CRYPT}
Should I change this CRYPT to SSHA ? Thanks, Quanah
Yes.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
No
[craig.white@ldp002wsoin99 ~]$ slappasswd -h {SSHA} New password: Re-enter new password: {SSHA}qxTmLitvGPkJRJoGT7qroMJOQ4udfMeC
Use ldapmodify to change the password similar to this above. Use whatever application you are using to set passwords and change to SSHA as default if possible.
Craig White System Administrator O 623-201-8179 M 602-377-9752
[cid:image001.png@01CF86FE.42D51630]
SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of jeevan kc Sent: Thursday, May 14, 2015 2:34 PM To: Quanah Gibson-Mount; openldap-technical@openldap.org Subject: RE: Openldap password problems
Openldap version is 2.4.30. When I check the configuration inside cn=config I found this
[root@lap00617 cn=config]# cat olcDatabase={-1}frontend.ldif dn: olcDatabase={-1}frontend objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 0 olcReadOnly: FALSE olcSchemaDN: cn=Subschema olcSizeLimit: 1500 olcSyncUseSubentry: FALSE olcMonitoring: FALSE olcPasswordHash: {CRYPT}
Should I change this CRYPT to SSHA ? Thanks, Quanah
Jeevan
Date: Thu, 14 May 2015 14:27:19 -0700 From: quanah@zimbra.commailto:quanah@zimbra.com To: jeev_biz@hotmail.commailto:jeev_biz@hotmail.com; openldap-technical@openldap.orgmailto:openldap-technical@openldap.org Subject: RE: Openldap password problems
--On Thursday, May 14, 2015 10:15 PM +0000 jeevan kc <jeev_biz@hotmail.commailto:jeev_biz@hotmail.com> wrote:
Thanks Quanah, It shows up as crypt hashed. Is there any way I can change it to SHA hashed ?
OpenLDAP defaults to using SSHA, so your configuration must have changed that to using crypt. I'd suggest modifying your configurations to default back to SSHA (I personally use SSHA-512 these days with the sha2 contrib module).
You don't note your OpenLDAP release, which would also be useful information.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc.
Zimbra :: the leader in open source messaging and collaboration
--On Thursday, May 14, 2015 10:53 PM +0000 Craig White CWhite@skytouchtechnology.com wrote:
No
I disagree. Setting the default to {CRYPT} is a security nightmare, regardless of what the application is doing. If the application is (correctly) using an ldapv3 password modify op, it'll get set to CRYPT on the openldap server due to their (broken) configuration.
Better solution is to ensure the openldap default is sane, and to also verify the web application is sane.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: Thursday, May 14, 2015 2:59 PM To: Craig White; jeevan kc; openldap-technical@openldap.org Subject: RE: Openldap password problems
--On Thursday, May 14, 2015 10:53 PM +0000 Craig White CWhite@skytouchtechnology.com wrote:
No
I disagree. Setting the default to {CRYPT} is a security nightmare, regardless of what the application is doing. If the application is (correctly) using an ldapv3 password modify op, it'll get set to CRYPT on the openldap server due to their (broken) configuration.
Better solution is to ensure the openldap default is sane, and to also verify the web application is sane. ---- Yes, sorry - don't mean to disagree with your thinking. I gathered he thought he could just change the terms from crypt to sha or ssha and that OpenLDAP would take care of it automatically.
Yes, crypt is ancient and easily defeated I gather (never tried myself). Yes, changing the default scheme is good but we don't know how he is creating users/passwords.
Craig
Craig and Quanah, Thank you so much for you valuable inputs. I'll change the default scheme to SSHA and also work with the web developers and check how the application is creating/updating the LDAP password. This helps a lot. I'll keep updated. Thanks again!
Jeevan
From: CWhite@skytouchtechnology.com To: quanah@zimbra.com; jeev_biz@hotmail.com; openldap-technical@openldap.org Subject: RE: Openldap password problems Date: Thu, 14 May 2015 22:01:59 +0000
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: Thursday, May 14, 2015 2:59 PM To: Craig White; jeevan kc; openldap-technical@openldap.org Subject: RE: Openldap password problems
--On Thursday, May 14, 2015 10:53 PM +0000 Craig White CWhite@skytouchtechnology.com wrote:
No
I disagree. Setting the default to {CRYPT} is a security nightmare, regardless of what the application is doing. If the application is (correctly) using an ldapv3 password modify op, it'll get set to CRYPT on the openldap server due to their (broken) configuration.
Better solution is to ensure the openldap default is sane, and to also verify the web application is sane.
Yes, sorry - don't mean to disagree with your thinking. I gathered he thought he could just change the terms from crypt to sha or ssha and that OpenLDAP would take care of it automatically.
Yes, crypt is ancient and easily defeated I gather (never tried myself). Yes, changing the default scheme is good but we don't know how he is creating users/passwords.
Craig
Quanah Gibson-Mount wrote:
Setting the default to {CRYPT} is a security nightmare,
Such a general statement is non-sense without taking a closer look at which crypt scheme is really used.
Consult your local crypt(3) man page to see whether crypt schemes like "$6$" or "$2b$" are supported on your system which are definitely stronger than simple {SSHA}. Then use password-crypt-salt-format to make use of such a crypt scheme.
Ciao, Michael.
This is what I use. I'm not sure this is the highest possible security but it did fix the "ignore anything over 8 characters" issue.
password-hash {CRYPT} password-crypt-salt-format "$6$%.12s"
-----Original Message----- From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Michael Ströder Sent: Friday, May 15, 2015 5:08 AM To: Quanah Gibson-Mount; openldap-technical@openldap.org Subject: Re: Openldap password problems
Quanah Gibson-Mount wrote:
Setting the default to {CRYPT} is a security nightmare,
Such a general statement is non-sense without taking a closer look at which crypt scheme is really used.
Consult your local crypt(3) man page to see whether crypt schemes like "$6$" or "$2b$" are supported on your system which are definitely stronger than simple {SSHA}. Then use password-crypt-salt-format to make use of such a crypt scheme.
Ciao, Michael.
Hi all,
Right now we may say, IMHO, this is a strongest encryption available in POSIX systems. SHA-1 ({SSHA}, default in OpenLDAP) is good one also (IMHO), to crack it you must mobilize many means. The question is: does the degree of confidentiality of data deserve to opt for a bit more complicated setup ?
Cheers.
Le 15/05/2015 20:02, Albert Braden a écrit :
This is what I use. I'm not sure this is the highest possible security but it did fix the "ignore anything over 8 characters" issue.
password-hash {CRYPT} password-crypt-salt-format "$6$%.12s"
-----Original Message----- From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Michael Ströder Sent: Friday, May 15, 2015 5:08 AM To: Quanah Gibson-Mount; openldap-technical@openldap.org Subject: Re: Openldap password problems
Quanah Gibson-Mount wrote:
Setting the default to {CRYPT} is a security nightmare,
Such a general statement is non-sense without taking a closer look at which crypt scheme is really used.
Consult your local crypt(3) man page to see whether crypt schemes like "$6$" or "$2b$" are supported on your system which are definitely stronger than simple {SSHA}. Then use password-crypt-salt-format to make use of such a crypt scheme.
Ciao, Michael.
--On Saturday, May 16, 2015 10:19 AM +0200 Abdelhamid Meddeb abdelhamid@meddeb.net wrote:
Hi all,
Right now we may say, IMHO, this is a strongest encryption available in POSIX systems. SHA-1 ({SSHA}, default in OpenLDAP) is good one also (IMHO), to crack it you must mobilize many means. The question is: does the degree of confidentiality of data deserve to opt for a bit more complicated setup ?
And as I noted before, you can do SSHA-512 or other methods with the sha2 contrib module.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
On Thu, May 14, 2015 at 09:02:30PM +0000, jeevan kc wrote:
Hello all,We've just noticed that when a user authenticates via LDAP, it ignores characters after the right password. For example a user jkc900 has Password Welcome1 But the user can type in Welcome1111 or Welcome12 etc and still can get into the application. Its just checking the first Welcome1 and they can type anything after that and still can log in.
Which password hash are you using? Old crypt(3) formats had this kind of problem.
Which OpenLDAP version are you using?
Can you provide a few examples of userPassword attributes that demonstrate this problem?
Is your application using simple binds, or something else (ie. SASL)?
On 05/14/15 21:02 +0000, jeevan kc wrote:
Hello all,We've just noticed that when a user authenticates via LDAP, it ignores characters after the right password. For example a user jkc900 has Password Welcome1 But the user can type in Welcome1111 or Welcome12 etc and still can get into the application. Its just checking the first Welcome1 and they can type anything after that and still can log in. We've tested at least 50 users and they all have the same issues. Any clues/ solution for this? Your inputs are highly appreciated.
Can you reproduce this with ldapwhoami?
Is there a 3rd party PAM or NSS library involved in your authentication?
Hi Dan, We use a web application to rest user password and when a password is reset it shows up as crypt hashed in userPassword attribute. Any way I can change it SHA hashed or is it something that needs to be done in the application itself? Thanks
Jeevan
Date: Thu, 14 May 2015 16:12:41 -0500 From: dwhite@cafedemocracy.org To: jeev_biz@hotmail.com CC: openldap-technical@openldap.org Subject: Re: Openldap password problems
On 05/14/15 21:02 +0000, jeevan kc wrote:
Hello all,We've just noticed that when a user authenticates via LDAP, it ignores characters after the right password. For example a user jkc900 has Password Welcome1 But the user can type in Welcome1111 or Welcome12 etc and still can get into the application. Its just checking the first Welcome1 and they can type anything after that and still can log in. We've tested at least 50 users and they all have the same issues. Any clues/ solution for this? Your inputs are highly appreciated.
Can you reproduce this with ldapwhoami?
Is there a 3rd party PAM or NSS library involved in your authentication?
-- Dan White
--On Thursday, May 14, 2015 10:19 PM +0000 jeevan kc jeev_biz@hotmail.com wrote:
Hi Dan, We use a web application to rest user password and when a password is reset it shows up as crypt hashed in userPassword attribute. Any way I can change it SHA hashed or is it something that needs to be done in the application itself? Thanks
It is possible the problem is the web application, yes. You'd have to provide more information about how the web application changes a user's password.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Abdelhamid Meddeb -
Albert Braden -
Craig White -
Dan White -
jeevan kc -
Michael Ströder -
Quanah Gibson-Mount -
Ryan Tandy