{PATCH] store extra password hashes in supplemental credentials

Gary Lockyer gary at catalyst.net.nz
Wed Apr 12 01:39:35 UTC 2017 

Patches reworked to use {Crypt}

On 12/04/17 11:33, Stefan Metzmacher wrote:
> Gi Gary and Andrew,
> 
>> Completed patch set to:
>> - Calculate SHA256 and SHA512 password hashes and store in
>>   supplementalCredentials Primary:userPassword
>> - add configuration options to control the generation of these
>>   hashes and the number of rounds used to calculate them.
>>   * 'password hash additional scheme'
>>   * 'password hash sha256 rounds'
>>   * 'password hash sha512 rounds'
>> - add new virtual attributes virtualWDigest01 to virtualWDigest29 to
>>   make the WDigest values available
>> - change virtualCryptSHA256 and virtualCryptSHA512 to:
>>   * return the stored values in Primary:userPassword if available
>>   * honor 'password hash sha256 rounds' and
>>     'password hash sha512 rounds' when calculating the hashes.
>>
>> Review appreciated
> 
> I still think we should use {CRYPT} if we're using the crypt_r() function
> to generate the value.
> 
> Looking at the openldap code I see
> {SHA256} and {SHA512} only in contrib/slapd-modules/passwd/sha2/,
> but not in the main code libraries/liblutil/passwd.c
> 
> Looking at the code I can't see how the value you calculate
> using crypt_r() can be verified with the {SHA256} and {SHA512} code.
> If we don't want to use {CRYPT} we should implement {SSHA256} and
> {SSHA512} (with salt)
> instead of {SHA256} and {SHA512} (without salt) and match the actual
> implementation.
> 
> I still think it's confusing to have "password hash sha256 rounds" and
> "password hash sha512 rounds" as separate options.
> 
> What about using the names virtualSSHA, virtualCryptSHA256,
> virtualCryptSHA512
> as names in:
> 
> 	typedef struct {
> 		[value(2*strlen_m(scheme))] uint16 name_len;
> 		[charset(UTF16)] uint8 name[name_len];
> 		[value((value?value->length:0))] uint32 value_len;
> 		[relative,subcontext(0),subcontext_size(value_len),
> 			flag(NDR_REMAINING)] DATA_BLOB *value;
> 	} package_PrimaryVirualPasswordValue;
> 
> 	typedef [public] struct {
> 		samr_Password current_nt_hash;
> 		uint16 num_values;
> 		package_PrimaryUserPasswordValue values[num_values];
> 	} package_PrimaryVirtualPasswordsBlob;
> 
> If you want you can also implement virtualSSHA256 and virtualSSHA512
> (in password_hash.c as well as in samba-tool user getpassword),
> but using SHA{256,512}_{Init,Update,Final}() directly.
> Very similar to virtualSSHA.
> 
> Sorry, but we really have to get this sane before it can be pushed.
> 
> metze
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-idl-drsblobs-add-the-blobs-required-for-Primary-user.patch
Type: text/x-patch
Size: 2520 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170412/29ca2fa1/0001-idl-drsblobs-add-the-blobs-required-for-Primary-user-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-docs-configuration-options-for-Primary-userPassword.patch
Type: text/x-patch
Size: 7269 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170412/29ca2fa1/0002-docs-configuration-options-for-Primary-userPassword-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-tests-password_hash-remove-unused-import.patch
Type: text/x-patch
Size: 800 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170412/29ca2fa1/0003-tests-password_hash-remove-unused-import-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-tests-password_hash-fix-white-space.patch
Type: text/x-patch
Size: 1460 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170412/29ca2fa1/0004-tests-password_hash-fix-white-space-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0005-tests-password_hash-add-tests-for-Primary-userPasswo.patch
Type: text/x-patch
Size: 16565 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170412/29ca2fa1/0005-tests-password_hash-add-tests-for-Primary-userPasswo-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0006-password_hash-generate-and-store-Primary-userPasswor.patch
Type: text/x-patch
Size: 10852 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170412/29ca2fa1/0006-password_hash-generate-and-store-Primary-userPasswor-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0007-samba-tool-tests-Tests-for-virtualWDigest-and-virtua.patch
Type: text/x-patch
Size: 22134 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170412/29ca2fa1/0007-samba-tool-tests-Tests-for-virtualWDigest-and-virtua-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0008-samba-tool-user-add-support-for-userPassword-and-WDi.patch
Type: text/x-patch
Size: 13683 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170412/29ca2fa1/0008-samba-tool-user-add-support-for-userPassword-and-WDi-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170412/29ca2fa1/signature-0001.sig>

More information about the samba-technical mailing list