3

I have hashed and salted passwords in OpenLDAP for login via PAM in Linux. The setup works when the hashes are of type SHA-1 (salted or unsalted) or plain text. In these cases everything works fine and a user can login with these credentials.

If I switch to salted SHA-256 (SSHA-256) passwords, then the user can't login with the correct password. Probably pam_ldap does not understand SHA-256? I can't find any documentation stating this restriction, but also can't find configuration examples showing that it is possible.

What do I have to do? Configure/compile pam_ldap for SHA-256? Use something else than PAM?

I am forced to use salted SHA-256 as the credentials are already present in another (leading) datastore and have to be synchronized to OpenLDAP.

Improve this question
7
  • Sorry: I don't understand what does it mean "switch to SHA-256". How do you do that? Is it a pam configuration? If you want to store SHA-256 passwords on OpenLDAP you require a module. Commented Nov 9, 2015 at 11:44
  • @473183469 I just store the password with a different hashing algorithm "by hand" using an OpenLDAP configuration UI. Commented Nov 9, 2015 at 11:57
  • The prefix per SHA256 is {SHA256}. Does the userPassword attribute of your users start with this prefix? Commented Nov 9, 2015 at 12:03
  • @473183469 No. The prefix is {ssha256}, but this is not the problem. PAM is the problem. Commented Nov 9, 2015 at 12:06
  • @473183469 That's it (true). Commented Nov 9, 2015 at 12:48

1 Answer 1

Reset to default
1

see CRYPT function ? https://www.redpill-linpro.com/techblog/2016/08/16/ldap-password-hash.html

OpenLDAP pass-through authentication

OpenLDAP can also use external processes to verify and hash passwords. These schemes are:

CRYPT - will use the OS’ crypt library as a password handler SASL - will use Cyrus SASL as a password handler Cyrus SASL was last updated in 2012, but CRYPT is a part of the POSIX API and should be continuously updated. So - can CRYPT give us an up-to-date hash?

Crypt to the rescue

It turns out that Linux based glibc version of crypt support additional encryption schemes through an additional versioning scheme encoded in the password hash sometimes called the modular crypt format:

1 - MD5 2a - Blowfish / bcrypt 5 - SHA-256 6 - SHA-512

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.