[Fedora-directory-users] Exporting MD5 Hash from FD-DS into /etc/shadow
Frantisek Hanzlik
franta at hanzlici.cz
Thu Jan 1 10:50:52 UTC 2009
Howard Chu wrote:
>> fedora-directory-users-request redhat com wrote:
>> dennis demarco com wrote:
>>> I would like to export the MD5 hash from the Fedora directory user's password
>>> attribute into /etc/shadow of a Linux machine not in LDAP (Redhat).
>>> It appears this isn't working, is there a way for me to do this?
>>> Not all machines are using ldap but I would like to export from ldap.
>>>
>> Hi,
>> I haven't tried this, but here's an idea just off the top of my head which _might_ work:
>>
>> 1. take away the {MD5} from the string
>> 2. base64 decode the rest of the string
>> 3. convert the string to hex
>> 4. put the $1$ at the front of the hex string
>> 5. put the whole string into the password field in /etc/shadow and test
>>
>> If that works, you could write a perl script to automate the procedure. And report back to the list as well :-)
>>
> No, the password field is not in hex, it uses the same 6-bit encoding
> that DES crypt() uses, which is different from base64.
> base64 uses the characters [A-Z][a-z][0-9]+/ while crypt uses
> the characters ./[0-9][A-Z][a-z] (in those exact orders).
>
> --
> -- Howard Chu
> Chief Architect, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc
> OpenLDAP Core Team http://www.openldap.org/project/
--
Hello,
I found this 2 years old thread. I have same task - convert LDAP values
to passwd/shadow, and solve password conversion. But I'm still out of luck.
I have idea utilize something as MD5 crypt() with empty salt - this
probably work, as when I create password in manner:
openssl passwd -1 -salt "" "heslo"
$1$$1dziKo9JPNdLlVrGfqIBG.
then result is working, with it in shadow I can authenticate and all work
OK. Salt is empty - after "$1$" signature immediately follow salt/hash
delimiter "$", and then as usually 22 chars hash.
But result of MD5 password created e.g. with command:
slappasswd -h {MD5} -s "heslo"
{MD5}lV2wuB7xmJtKTf6ugGGppg==
(values coded in this manner I have in LDAP DB. Isn't problem convert
among different formats, eg:
echo -n "heslo"|md5sum
955db0b81ef1989b4a4dfeae8061a9a6
echo -n "heslo"|openssl dgst -md5 -hex
955db0b81ef1989b4a4dfeae8061a9a6
echo '<? $A=base64_encode(pack("H*",md5("heslo"))); echo $A;?>' | php
lV2wuB7xmJtKTf6ugGGppg==
And it is simple to obtain full 128-bit hex MD5 hash by reverting LDAP values:
echo '<? $A=unpack("H*",base64_decode("lV2wuB7xmJtKTf6ugGGppg==")); echo $A[1];?>'|php
955db0b81ef1989b4a4dfeae8061a9a6
)
Generally, I have convert 22 char long base-64 value to 22 char long
value as generated by MD5 crypt():
lV2wuB7xmJtKTf6ugGGppg # LDAP base-64 value
1dziKo9JPNdLlVrGfqIBG. # MD5 crypt() value
Both uses 6-bit encoding, first with charset "[A-Z][a-z][0-9]+/", second
the characters "./[0-9][A-Z][a-z]". But simple conversion as this:
CRYPT_HASH=`echo "$BASE64_HASH"|tr 'A-Za-z0-9+/' './0-9A-Za-z'`
not work.
Is this problem ever solvable?
Had someone in this thread success with solving this problem?
Is idea of empty salt real, and problem is only in conversion between
6-bit DES crypt() encoding and base-64 encoding?
Have someone any knowledge about this?
Thanks in advance,
Franta Hanzlik
More information about the Fedora-directory-users
mailing list