{PATCH] store extra password hashes in supplemental credentials

Gary Lockyer gary at catalyst.net.nz
Sun May 7 23:54:45 UTC 2017 


On 06/05/17 06:06, Andrew Bartlett wrote:
> On Wed, 2017-04-12 at 16:09 +1200, Andrew Bartlett via samba-technical
> wrote:
> 
>> Err..
>>
>> If you could suggest a syntax that you like, we can code it up. 
>> Options include:
>>
>> CryptSHA512:5500 CryptSHA256
>>
>> or probably better:
>>
>> CryptSHA512:rounds=5500 CryptSHA256
>>
>> I'm not sure how to fit those in to the attributes for the 'samba-
>> tool
>> user getpassword' case, but perhaps you have clearer ideas.
> 
> I've been chatting to metze and we agreed to the above, but with a new
> name:
> 
> password hash userPassword schemes = CryptSHA512:rounds=5500 CryptSHA256
Do I need to store multiple rounds for a scheme i.e. would
CryptSHA512:rounds=5500 CryptSHA512:rounds=10000 CryptSHA256
be valid?
> 
> For the getpassword, we agreed to 
> 
> --attributes="virtualCryptSHA256;rounds=5500,virtualCryptSHA512"
> 
> The documentation will explain that the rounds is only used if a
> plaintext password is present, and does not change the returned
> attribute name in the LDIF.
I'll use the following logic for determining the virtualCryptSHAxxx
values in getpassword.

1) IF rounds specified AND plaintext password
   THEN
       calculate hash from plaintext password and rounds
   END

2) IF rounds specified AND NO plaintext password
   THEN
       No value
   END

3) IF rounds NOT specified AND userPassword for scheme
   THEN
       Use the user password value
   END

4) IF rounds NOT specified AND NO userPassword for scheme AND
      plaintext password
   THEN
       Calculate hash from plaintext password
   END

5) IF rounds NOT specified AND NO userPassword for scheme AND
      NO plaintext password
   THEN
       No value
   END

> 
> We also agreed that the WDigest implementation patches need to be
> second, in a distinct patch, after the WDigset tests.  
> 
> Then implement the ;rounds for getpassword. 
> 
> Then the IDL if not required earlier. 
> 
> Then the userPassword tests, then the C changes, then the userPassword
> samba-tool changes. 
> 
Should I submit these as separate patch sets, i.e.
  1) WDigest changes
  2) rounds support for the virtual crypt parameters
  3) then the userPassword changes
It will be easier to review that way.

> Thanks,
> 
> Andrew Bartlett
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170508/459d5def/signature.sig>

More information about the samba-technical mailing list