{PATCH] store extra password hashes in supplemental credentials
Stefan Metzmacher
metze at samba.org
Tue Apr 11 23:33:13 UTC 2017
Gi Gary and Andrew,
> Completed patch set to:
> - Calculate SHA256 and SHA512 password hashes and store in
> supplementalCredentials Primary:userPassword
> - add configuration options to control the generation of these
> hashes and the number of rounds used to calculate them.
> * 'password hash additional scheme'
> * 'password hash sha256 rounds'
> * 'password hash sha512 rounds'
> - add new virtual attributes virtualWDigest01 to virtualWDigest29 to
> make the WDigest values available
> - change virtualCryptSHA256 and virtualCryptSHA512 to:
> * return the stored values in Primary:userPassword if available
> * honor 'password hash sha256 rounds' and
> 'password hash sha512 rounds' when calculating the hashes.
>
> Review appreciated
I still think we should use {CRYPT} if we're using the crypt_r() function
to generate the value.
Looking at the openldap code I see
{SHA256} and {SHA512} only in contrib/slapd-modules/passwd/sha2/,
but not in the main code libraries/liblutil/passwd.c
Looking at the code I can't see how the value you calculate
using crypt_r() can be verified with the {SHA256} and {SHA512} code.
If we don't want to use {CRYPT} we should implement {SSHA256} and
{SSHA512} (with salt)
instead of {SHA256} and {SHA512} (without salt) and match the actual
implementation.
I still think it's confusing to have "password hash sha256 rounds" and
"password hash sha512 rounds" as separate options.
What about using the names virtualSSHA, virtualCryptSHA256,
virtualCryptSHA512
as names in:
typedef struct {
[value(2*strlen_m(scheme))] uint16 name_len;
[charset(UTF16)] uint8 name[name_len];
[value((value?value->length:0))] uint32 value_len;
[relative,subcontext(0),subcontext_size(value_len),
flag(NDR_REMAINING)] DATA_BLOB *value;
} package_PrimaryVirualPasswordValue;
typedef [public] struct {
samr_Password current_nt_hash;
uint16 num_values;
package_PrimaryUserPasswordValue values[num_values];
} package_PrimaryVirtualPasswordsBlob;
If you want you can also implement virtualSSHA256 and virtualSSHA512
(in password_hash.c as well as in samba-tool user getpassword),
but using SHA{256,512}_{Init,Update,Final}() directly.
Very similar to virtualSSHA.
Sorry, but we really have to get this sane before it can be pushed.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170412/99cac5a2/signature.sig>
More information about the samba-technical
mailing list