From ff993c7ddbda3e42b077638c091e1e7b5eff064a Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Wed, 13 Jun 2001 05:40:24 +0000 Subject: [PATCH] Misc updates to password codes / docs --- doc/man/man5/slapd.conf.5 | 14 ++++++++++++++ doc/man/man8/slappasswd.8 | 22 +++++++++++++++++++--- libraries/liblutil/passwd.c | 12 +++--------- servers/slapd/tools/slappasswd.c | 17 +++++++++++------ 4 files changed, 47 insertions(+), 18 deletions(-) diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index bef621936b..6e55a7fd92 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -240,6 +240,20 @@ and The default is .BR {SSHA} . .TP +.B password-crypt-salt-format +Specify the format of the salt passed to +.BR crypt (3) +when generating {CRYPT} passwords. +This string needs to be in +.BR sprintf (3) +format and may include one (and only one) %s conversion. +This conversion will be substituted with a string random +characters from [A\-Za\-z0\-9./]. For example, "%.2s" +provides a two character salt and "$1$%.8s" tells some +versions of crypt(3) to use an MD5 algorithm and provides +8 random characters of salt. The default is "%s", which +provides 31 characters of salt. +.TP .B pidfile The ( absolute ) name of a file that will hold the .B slapd diff --git a/doc/man/man8/slappasswd.8 b/doc/man/man8/slappasswd.8 index 77ffd39490..8321419b42 100644 --- a/doc/man/man8/slappasswd.8 +++ b/doc/man/man8/slappasswd.8 @@ -10,6 +10,7 @@ slappasswd \- OpenLDAP password utility .B [\-u] .B [\-s secret] .B [\-h hash] +.B [\-c salt-format] .B .LP .SH DESCRIPTION @@ -21,13 +22,14 @@ suitable for use with or .BR slapd.conf (5) .I rootpw -coniguration directive. +configuration directive. .SH OPTIONS .TP .B \-v enable verbose mode. +.TP .B \-u -generate RFC2307 userPassword values (the default). Future +Generate RFC2307 userPassword values (the default). Future versions of this program may generate alternative syntaxes by default. This option is provided for forward compatibility. .TP @@ -35,6 +37,7 @@ by default. This option is provided for forward compatibility. The secret to hash. If not provided, the user will be prompted for the secret to hash. .TP +.BI \-h " scheme" If -h is specified, one of the following RFC2307 schemes may be specified: .IR {CRYPT} , @@ -44,7 +47,20 @@ be specified: .IR {SHA} . The default is .IR {SSHA} . -.LP +.TP +.BI \-c " crypt-salt-format" +Specify the format of the salt passed to +.BR crypt (3) +when generating {CRYPT} passwords. +This string needs to be in +.BR sprintf (3) +format and may include one (and only one) %s conversion. +This conversion will be substituted with a string random +characters from [A\-Za\-z0\-9./]. For example, "%.2s" +provides a two character salt and "$1$%.8s" tells some +versions of crypt(3) to use an MD5 algorithm and provides +8 random characters of salt. The default is "%s", which +provides 31 characters of salt. .SH LIMITATIONS The practice storing hashed passwords in userPassword violates Standard Track (RFC2256) schema specifications and may hinder diff --git a/libraries/liblutil/passwd.c b/libraries/liblutil/passwd.c index 5a04acfdcc..f3ad3bce0f 100644 --- a/libraries/liblutil/passwd.c +++ b/libraries/liblutil/passwd.c @@ -1239,15 +1239,9 @@ static struct berval *hash_crypt( int lutil_salt_format(const char *format) { #ifdef SLAPD_CRYPT - if (format) { - if (salt_format) - free(salt_format); - salt_format = strdup(format); - } else { // unset if they pass in NULL - if (salt_format) - free(salt_format); - salt_format = NULL; - } + free(salt_format); + + salt_format = format != NULL ? strdup(format) : NULL; #endif return 0; diff --git a/servers/slapd/tools/slappasswd.c b/servers/slapd/tools/slappasswd.c index 686132ef84..98d859a32e 100644 --- a/servers/slapd/tools/slappasswd.c +++ b/servers/slapd/tools/slappasswd.c @@ -31,6 +31,7 @@ usage(const char *s) "Usage: %s [options]\n" " -h hash\tpassword scheme\n" " -s secret\tnew password\n" + " -c format\tcrypt(3) salt format\n" " -u\t\tgenerate RFC2307 values (default)\n" " -v\t\tincrease verbosity\n" , s ); @@ -51,24 +52,28 @@ main( int argc, char *argv[] ) struct berval *hash = NULL; while( (i = getopt( argc, argv, - "d:h:s:vu" )) != EOF ) + "c:d:h:s:vu" )) != EOF ) { switch (i) { + case 'c': /* crypt salt format */ + scheme = "{CRYPT}"; + lutil_salt_format( optarg ); + break; + case 'h': /* scheme */ - scheme = strdup (optarg); + scheme = strdup( optarg ); break; case 's': /* new password (secret) */ - newpw = strdup (optarg); - { char* p; + newpw = strdup( optarg ); for( p = optarg; *p != '\0'; p++ ) { *p = '\0'; } - } - break; + + } break; case 'u': /* RFC2307 userPassword */ break;