12:20 a.m.
Hello,
I want to understand how to retrieve the 'salt' which was used by the
LDAP server to hash a user's password with seeded sha1, i.e. SSHA;
when I do a ldapsearch from the UNIX cmd line I get the attribute as:
$ ldapsearch -h 10.45.xx.xx -p 389 -x -D ... 'cn=jrXXXXX'
...
dn: cn=jrXXXXX,ou=user,ou=....
userPassword:: e1NTSEF9TWd3ZmtxQ25HdTJYVXZtVzNzTm5yWjlwVjBUSmwvQ0Q=
...
the above string I can decode with:
$ echo -n 'e1NTSEF9TWd3ZmtxQ25HdTJYVXZtVzNzTm5yWjlwVjBUSmwvQ0Q=' | mmencode -u
{SSHA}MgwfkqCnGu2XUvmW3sNnrZ9pV0TJl/CD
but now I'm lost how to retrieve the 'salt' from it :-(
I have google'd around and see examples for this like in
http://www.pressinganswer.com/444023/how-can-i-retrieve-a-salt-from-ldap
<CITED ON>
With SSHA, normally the salt is appended to the SHA1 hash and then the
whole thing is Base64 encoded (I've never seen an LDAP that didn't do
SSHA this way). You should be
able to tell this by looking at the userPassword attribute. If it's 28
character long with a = at the end, it's only the hash.
If the Base64 value is 32 character long or greater, it contains both
the hash and the salt. Base64 decode the value and strip off the first
20 bytes, this is the SHA1 hash. The remaining bytes are the salt.
Example:
Base64 encoded hash with salt
userPassword: {SSHA}MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0
Base64 decoded value
SHA1 Hash Salt
--------------------++++
123456789012345678901234
<CITED OFF>
I can repeat the given example with:
$ echo -n 'MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0' | mmencode -u
123456789012345678901234
but when I run the original string through decode, I get only binary nonsense from:
echo -n 'MgwfkqCnGu2XUvmW3sNnrZ9pV0TJl/CD' | mmencode -u
2
§íRùÞÃgð
What I do wrong or what I'm missing here?
The used 'mmencode' is on FreeBSD 10-CURRENT from a pkg:
$ pkg_info -W /usr/local/bin/mmencode
/usr/local/bin/mmencode was installed by package metamail-2.7_9
if this does any matter.
Thanks
matthias
--
Matthias Apitz | /"\ ASCII Ribbon Campaign: www.asciiribbon.org
E-mail: guru(a)unixarea.de | \ / - No HTML/RTF in E-mail
WWW: http://www.unixarea.de/ | X - No proprietary attachments
phone: +49-170-4527211 | / \ - Respect for open standards
1 a.m.
New subject: Antw: SSHA hashed passwords && retrieving the salt
>> Matthias Apitz <guru(a)unixarea.de> schrieb am 15.01.2014
um 09:20 in
Nachricht
<20140115082007.GA7160(a)sh4-5.1blu.de>:
[...]
I can repeat the given example with:
$ echo -n 'MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0' | mmencode -u
123456789012345678901234
but when I run the original string through decode, I get only binary
nonsense from:
echo -n 'MgwfkqCnGu2XUvmW3sNnrZ9pV0TJl/CD' | mmencode -u
2
§íRùÞÃg-ð
Remember: A byte is 8 bits; any combination. Just count bytes. Maybe this:
echo -n 'MgwfkqCnGu2XUvmW3sNnrZ9pV0TJl/CD' | mmencode -u | hexdump -C
What I do wrong or what I'm missing here?
All bits are used ;-)
Regards,
Ulrich
1:29 a.m.
New subject: Antw: SSHA hashed passwords && retrieving the salt
El día Wednesday, January 15, 2014 a las 10:00:47AM +0100, Ulrich Windl escribió:
>>> Matthias Apitz <guru(a)unixarea.de> schrieb am
15.01.2014 um 09:20 in
Nachricht
<20140115082007.GA7160(a)sh4-5.1blu.de>:
[...]
> I can repeat the given example with:
>
> $ echo -n 'MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0' | mmencode -u
> 123456789012345678901234
>
> but when I run the original string through decode, I get only binary
> nonsense from:
>
> echo -n 'MgwfkqCnGu2XUvmW3sNnrZ9pV0TJl/CD' | mmencode -u
> 2
> §íRùÞÃg-ð
Remember: A byte is 8 bits; any combination. Just count bytes. Maybe this:
echo -n 'MgwfkqCnGu2XUvmW3sNnrZ9pV0TJl/CD' | mmencode -u | hexdump -C
Thanks for the feedback; I have tried this already before:
$ echo -n 'MgwfkqCnGu2XUvmW3sNnrZ9pV0TJl/CD' | mmencode -u | od -tx1
0000000 32 0c 1f 92 a0 a7 1a ed 97 52 f9 96 de c3 67 ad
0000020 9f 69 57 44 c9 97 f0 83
but was thinking the salt, the last 4 bytes (0xc997f083) should have
been in ASCII... do they really seed with binary in LDAP?
matthias
--
Matthias Apitz | /"\ ASCII Ribbon Campaign: www.asciiribbon.org
E-mail: guru(a)unixarea.de | \ / - No HTML/RTF in E-mail
WWW: http://www.unixarea.de/ | X - No proprietary attachments
phone: +49-170-4527211 | / \ - Respect for open standards
2:43 a.m.
New subject: Antw: SSHA hashed passwords && retrieving the salt
El día Wednesday, January 15, 2014 a las 10:29:21AM +0100, Matthias Apitz escribió:
> > but when I run the original string through decode, I get
only binary
> > nonsense from:
> >
> > echo -n 'MgwfkqCnGu2XUvmW3sNnrZ9pV0TJl/CD' | mmencode -u
> > 2
> > §íRùÞÃg-ð
>
> Remember: A byte is 8 bits; any combination. Just count bytes. Maybe this:
>
> echo -n 'MgwfkqCnGu2XUvmW3sNnrZ9pV0TJl/CD' | mmencode -u | hexdump -C
Thanks for the feedback; I have tried this already before:
$ echo -n 'MgwfkqCnGu2XUvmW3sNnrZ9pV0TJl/CD' | mmencode -u | od -tx1
0000000 32 0c 1f 92 a0 a7 1a ed 97 52 f9 96 de c3 67 ad
0000020 9f 69 57 44 c9 97 f0 83
but was thinking the salt, the last 4 bytes (0xc997f083) should have
been in ASCII... do they really seed with binary in LDAP?
... but you are correct! it is the salt and it works fine
when I hash the users clear text pw with this salt "\xc9\x97\xf0\x83"
like this (blanking out the pw with XXXXXXXXXX):
#!/usr/bin/perl
#
use Digest::SHA1;
use MIME::Base64;
$ctx = Digest::SHA1->new;
$ctx->add('XXXXXXXXXX');
$ctx->add("\xc9\x97\xf0\x83");
$hashedPasswd = '{SSHA}' . encode_base64($ctx->digest .
"\xc9\x97\xf0\x83" ,'');
print 'userPassword: ' . $hashedPasswd . "\n";
it prints the correct SSHA hash:
$ ./sha.pl
userPassword: {SSHA}MgwfkqCnGu2XUvmW3sNnrZ9pV0TJl/CD
Thanks!
matthias
--
Matthias Apitz | /"\ ASCII Ribbon Campaign: www.asciiribbon.org
E-mail: guru(a)unixarea.de | \ / - No HTML/RTF in E-mail
WWW: http://www.unixarea.de/ | X - No proprietary attachments
phone: +49-170-4527211 | / \ - Respect for open standards
3537
days inactive
3537
days old
openldap-technical@openldap.org
3 comments
2 participants
participants (2)
-
Matthias Apitz -
Ulrich Windl