How to use SHA-256 hashed (and salted) passwords from OpenLDAP in pam_ldap?
see CRYPT function ? https://www.redpill-linpro.com/techblog/2016/08/16/ldap-password-hash.html
OpenLDAP pass-through authentication
OpenLDAP can also use external processes to verify and hash passwords. These schemes are:
CRYPT - will use the OS’ crypt library as a password handler SASL - will use Cyrus SASL as a password handler Cyrus SASL was last updated in 2012, but CRYPT is a part of the POSIX API and should be continuously updated. So - can CRYPT give us an up-to-date hash?
Crypt to the rescue
It turns out that Linux based glibc version of crypt support additional encryption schemes through an additional versioning scheme encoded in the password hash sometimes called the modular crypt format:
1 - MD5 2a - Blowfish / bcrypt 5 - SHA-256 6 - SHA-512
Related videos on Youtube
mailq
If you want me to answer your questions you'll have to follow Microsoft's instructions before: http://support.microsoft.com/kb/555375/en-us And don't forget to use the search bar in the upper right corner. When you still didn't find the right answer go to http://www.giyf.com/ first. @mailq
Updated on September 18, 2022Comments
-
mailq almost 2 years
I have hashed and salted passwords in OpenLDAP for login via PAM in Linux. The setup works when the hashes are of type SHA-1 (salted or unsalted) or plain text. In these cases everything works fine and a user can login with these credentials.
If I switch to salted SHA-256 (SSHA-256) passwords, then the user can't login with the correct password. Probably pam_ldap does not understand SHA-256? I can't find any documentation stating this restriction, but also can't find configuration examples showing that it is possible.
What do I have to do? Configure/compile pam_ldap for SHA-256? Use something else than PAM?
I am forced to use salted SHA-256 as the credentials are already present in another (leading) datastore and have to be synchronized to OpenLDAP.
-
473183469 over 8 yearsSorry: I don't understand what does it mean "switch to SHA-256". How do you do that? Is it a
pam
configuration? If you want to storeSHA-256
passwords on OpenLDAP you require a module. -
mailq over 8 years@473183469 I just store the password with a different hashing algorithm "by hand" using an OpenLDAP configuration UI.
-
473183469 over 8 yearsThe prefix per SHA256 is
{SHA256}
. Does the userPassword attribute of your users start with this prefix? -
mailq over 8 years@473183469 No. The prefix is {ssha256}, but this is not the problem. PAM is the problem.
-
mailq over 8 years@473183469 That's it (true).
-
473183469 over 8 yearsOh yes, for salted SHA256 prefix is:
{SSHA256}
. Do you successfully bind to directory with a user with SHA256 password for example withldapwhoami
? This will confirm PAM is the problem. -
473183469 over 8 yearsLet us continue this discussion in chat.
-