IETF Logo Mail Archive

Re: [ldapext] [ldap] Re: draft-stroeder-hashed-userpassword-values-01

Michael Ströder <michael@stroeder.com> Thu, 14 March 2013 18:30 UTC

Return-Path: <michael@stroeder.com>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2E9E11E81B8 for <ldapext@ietfa.amsl.com>; Thu, 14 Mar 2013 11:30:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.999
X-Spam-Level:
X-Spam-Status: No, score=-2.999 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hzvICZ0LvYtt for <ldapext@ietfa.amsl.com>; Thu, 14 Mar 2013 11:29:59 -0700 (PDT)
Received: from srv1.stroeder.com (srv1.stroeder.com [213.240.180.113]) by ietfa.amsl.com (Postfix) with ESMTP id 4AB1D11E818B for <ldapext@ietf.org>; Thu, 14 Mar 2013 11:29:59 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by srv1.stroeder.com (Postfix) with ESMTP id EA9BC60306; Thu, 14 Mar 2013 19:29:57 +0100 (CET)
X-Virus-Scanned: amavisd-new at stroeder.com
Received: from srv1.stroeder.com ([127.0.0.1]) by localhost (srv1.stroeder.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9tSHaYFh-wGf; Thu, 14 Mar 2013 19:29:51 +0100 (CET)
Received: from [10.1.0.2] (unknown [10.1.0.2]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by srv1.stroeder.com (Postfix) with ESMTPS id CE0456027F; Thu, 14 Mar 2013 18:29:49 +0000 (UTC)
Message-ID: <5142171C.6090807@stroeder.com>
Date: Thu, 14 Mar 2013 19:29:48 +0100
From: Michael Ströder <michael@stroeder.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0 SeaMonkey/2.16
MIME-Version: 1.0
To: Howard Chu <hyc@highlandsun.com>, ldapext <ldapext@ietf.org>
References: <5103F924.2070800@stroeder.com> <CABBgLkcnK7WfthFOBD5Esfz+g1izcKoGgtxzKKDntc0i=E7LOQ@mail.gmail.com> <510782A6.7050209@stroeder.com> <3ED81CD8-59DA-482E-8AFA-C68E53A62067@isode.com> <51410020.4020800@stroeder.com> <20130314001901.GN18706@slab.skills-1st.co.uk> <5141F560.6040805@highlandsun.com>
In-Reply-To: <5141F560.6040805@highlandsun.com>
X-Enigmail-Version: 1.5.1
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms050108010309080403020002"
Cc: "ldap@umich.edu" <ldap@umich.edu>
Subject: Re: [ldapext] [ldap] Re: draft-stroeder-hashed-userpassword-values-01
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldapext>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2013 18:30:01 -0000

Howard Chu wrote:
> Andrew Findlay wrote:
>> On Wed, Mar 13, 2013 at 11:39:28PM +0100, Michael Ströder wrote:
>>
>>>> I see this document is marked as being intended to be published as
>>>> Informational, but it reads more like it's trying to be a standard.
>>>
>>> I tried to add some wording to avoid that misunderstanding in the next
>>> revision of this draft:
>>>
>>> http://www.ietf.org/internet-drafts/draft-stroeder-hashed-userpassword-values-01.txt
>>>
>>
>> Still -01 ?
>>
>> You are explicitly excluding details of '{crypt}'. I think this is a
>> mistake, especially in an informational document. {crypt} is
>> extremely useful in transition scenarios, so people need to know about
>> it.
> 
> Who benefits from this document? What interoperability problems does it solve?

Anybody who has to generate or compare such userPassword values.

> Hashed userPassword values are strictly a server-internal implementation
> detail, clients never need to know about them.

Not true.

1. E.g. think of bulk sync processes where it's quite usual that you convert
password hashes within the LDAP client - in some cases even salted.

2. Furthermore if a server does not support RFC 3062 and/or server-side
hashing but supports this hashed values when performing password checking you
also have to do client-side generation. This gets rare with recent server
releases of various vendors but it's not something to completely ignore.

3. In some cases it's more appropriate that a LDAP client writes several
attributes in a *single* LDAP write operation instead of using a add/modify
with a subsequent Password Modify ext. op. E.g. when subschema has 'MUST
userPassword' for an object class used.

> The syntax specification is defective in at least 2 ways:
>   1) it only allows a form "hashandsalt" which actually precludes any unsalted
> hash mechanisms.

Not true. The unsalted variant has simply a zero-length salt. For -02 I've
added some text to clarify this.

>   2) it only allows "b64-hashandsalt" which precludes any mechanisms that
> don't use base64 format for their values. E.g. Unix crypt and Windows LANMAN
> hash formats use their own binary-to-printable encoding, not base64.

Well, at first I simply wanted to ignore this completely.
But after Andrews request I've already changed it for upcoming -02 like this:

    userpasswordvalue  = cleartext-password / prefix hashed-password

    prefix       = "{" scheme "}"
    scheme = %x30-39 / %x41-5A / %x61-7a / %x2D-2F / %x5F
         ;0-9, A-Z, a-z, "-", ".", "/", or "_"

    hashed-password = b64-hashandsalt / crypt3-result

    b64-hashandsalt = <base64 of hashandsalt>

    hashandsalt = password-hash salt

    password-hash = <digest of cleartext-password salt>

    cleartext-password = %x00-FF

    salt = %x00-FF

    crypt3-result = <generated by Unix function crypt(3)>

Please review this. Comments about clarity welcome.

Ciao, Michael.

v2.23.0 | Report a Bug | By Email