1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
=============================================================
:samp:`passlib.hash.ldap_{digest}` - RFC2307 Standard Digests
=============================================================
.. currentmodule:: passlib.hash
Passlib provides support for all the standard
LDAP hash formats specified by :rfc:`2307`.
This includes ``{MD5}``, ``{SMD5}``, ``{SHA}``, ``{SSHA}``.
These schemes range from somewhat to very insecure,
and should not be used except when required.
.. note::
RFC 2307 also specifies a ``{CRYPT}`` scheme,
which is supposed to wrap the host OS's :func:`!crypt()`.
Being host-dependant, this scheme is somewhat different,
and is details in :doc:`passlib.hash.ldap_crypt`.
.. seealso::
* :doc:`passlib.hash.ldap_crypt`
* :mod:`!passlib.apps` for a :ref:`list of premade ldap contexts <ldap-contexts>`.
Usage
=====
These classes all wrap the underlying hashlib implementations,
and are mainly useful only for plugging them into a :class:`~passlib.context.CryptContext`.
However, they can be used directly as follows::
>>> from passlib.hash import ldap_salted_md5 as lsm
>>> #encrypt password
>>> h = lsm.encrypt("password")
>>> h
'{SMD5}OqsUXNHIhHbznxrqHoIM+ZT8DmE='
>>> lms.identify(h) #check if hash is recognized
True
>>> lms.identify('JQMuyS6H.AGMo') #check if some other hash is recognized
False
>>> lms.verify("password", h) #verify correct password
True
>>> lms.verify("secret", h) #verify incorrect password
False
Plain Hashes
============
.. warning::
These hashes should be considered secure in any manner,
as they are nothing but raw MD5 & SHA-1 digests,
which are extremely vulnerable to brute-force attacks.
.. autoclass:: ldap_md5()
.. autoclass:: ldap_sha1()
Format
------
These hashes have the format :samp:`{prefix}{checksum}`.
* :samp:`{prefix}` is `{MD5}` for ldap_md5, and `{SHA}` for ldap_sha1.
* :samp:`{checksum}` is the base64 encoding
of the raw message digest of the password,
using the appropriate digest algorithm.
An example ldap_md5 hash (of ``password``) is ``{MD5}X03MO1qnZdYdgyfeuILPmQ==``.
An example ldap_sha1 hash (of ``password``) is ``{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=``.
Salted Hashes
=============
.. autoclass:: ldap_salted_md5()
.. autoclass:: ldap_salted_sha1()
These hashes have the format :samp:`{prefix}{data}`.
* :samp:`{prefix}` is `{SMD5}` for ldap_salted_md5,
and `{SSHA}` for ldap_salted_sha1.
* :samp:`{data}` is the base64 encoding of :samp:`{checksum}{salt}`;
and in turn :samp:`{salt}` is a 4 byte binary salt,
and :samp:`{checksum}` is the raw digest of the
the string :samp:`{password}{salt}`,
using the appropriate digest algorithm.
Format
------
An example hash (of ``password``) is ``{SMD5}jNoSMNY0cybfuBWiaGlFw3Mfi/U=``.
After decoding, this results in a raw salt string ``s\x1f\x8b\xf5``,
and a raw MD5 checksum of ``\x8c\xda\x120\xd64s&\xdf\xb8\x15\xa2hiE\xc3``.
An example hash (of ``password``) is ``{SSHA}pKqkNr1tq3wtQqk+UcPyA3HnA2NsU5NJ``.
After decoding, this results in a raw salt string ``lS\x93I``,
and a raw SHA1 checksum of ``\xa4\xaa\xa46\xbdm\xab|-B\xa9>Q\xc3\xf2\x03q\xe7\x03c``.
Security Issues
---------------
The LDAP salted hashes should not be considered very secure.
* They use only a single round of digests with known collision
and pre-image attacks (SHA1 & MD5).
* They currently use only 32 bits of entropy in their salt,
which is only borderline sufficient to defeat rainbow tables,
and cannot (portably) be increased.
Plaintext
=========
.. autoclass:: ldap_plaintext()
This handler does not hash passwords at all,
rather it encoded them into UTF-8.
The only difference between this class and :class:`passlib.hash.plaintext`
is that this class will NOT recognize any strings using
the ``{SCHEME}HASH`` format.
.. rubric:: Footnotes
.. [#pwd] The manpage for :command:`slappasswd` - `<http://gd.tuwien.ac.at/linuxcommand.org/man_pages/slappasswd8.html>`_.
.. [#rfc] The basic format for these hashes is laid out in RFC 2307 - `<http://www.ietf.org/rfc/rfc2307.txt>`_
|
