Logged in as guest
Viewing Contrib/899Full headers
Private message: yes no
Notes:LMHASH portion committed. Notification:
Date: Mon, 20 Nov 2000 19:04:56 GMT From: klasen@zdv.uni-tuebingen.de To: openldap-its@OpenLDAP.org Subject: lanmanager hash algorithm
Full_Name: Norbert Klasen Version: head-20001120 OS: Linux URL: ftp://ftp.openldap.org/incoming/norbert.klasen-20001120.patch Submission from: (NULL) (134.2.3.103) I've added the lanmanger hash algorithm as used by Windows to libraries/liblutil/passwd.c This is to faciliate transition from a Windows NT Domain (or W2k AD) to OpenLDAP. With the pwdump tool (http://www.webspan.net/~tas/pwdump2/) one can dump the needed password hashes from the NT SAM. I've also written a small Perl script to convert the output of pwdump to a ldif file, which can be loaded into the server: ftp://ftp.openldap.org/norbert.klasen-20001120.migrate_pwdump.pl This script could go into contrib or alternatively I can put it on our webserver. -- Norbert Klasen DFN Directory Services tel: +49 7071 29 70335 ZDV, Universit.t T.bingen fax: +49 7071 29 5912 W.chterstr. 76, 72074 T.bingen http://www.directory.dfn.de/ Germany norbert.klasen@zdv.uni-tuebingen.de
Date: Tue, 21 Nov 2000 13:05:51 -0800 To: klasen@zdv.uni-tuebingen.de From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> Subject: Re: lanmanager hash algorithm (ITS#899) Cc: openldap-its@OpenLDAP.org
The patch includes code based upon Samba 2.0.7. Samba license is such that we cannot accept code derived from Samba. I suggest you look for a public domain or non-restrictive implementation of the borrowed code. You could likely write such code from scratch. Kurt At 07:04 PM 11/20/00 +0000, klasen@zdv.uni-tuebingen.de wrote: >Full_Name: Norbert Klasen >Version: head-20001120 >OS: Linux >URL: ftp://ftp.openldap.org/incoming/norbert.klasen-20001120.patch >Submission from: (NULL) (134.2.3.103) > > >I've added the lanmanger hash algorithm as used by Windows to >libraries/liblutil/passwd.c >This is to faciliate transition from a Windows NT Domain (or W2k AD) to >OpenLDAP. >With the pwdump tool (http://www.webspan.net/~tas/pwdump2/) one can dump the >needed password hashes from the NT SAM. I've also written a small Perl script to > >convert the output of pwdump to a ldif file, which can be loaded into the >server: >ftp://ftp.openldap.org/norbert.klasen-20001120.migrate_pwdump.pl >This script could go into contrib or alternatively I can put it on our >webserver. > >-- >Norbert Klasen >DFN Directory Services tel: +49 7071 29 70335 >ZDV, Universit.t T.bingen fax: +49 7071 29 5912 >W.chterstr. 76, 72074 T.bingen http://www.directory.dfn.de/ >Germany norbert.klasen@zdv.uni-tuebingen.de
Date: Tue, 21 Nov 2000 22:47:28 -0500 From: Ben Collins <bcollins@debian.org> To: Kurt@OpenLDAP.org Cc: openldap-its@OpenLDAP.org Subject: Re: lanmanager hash algorithm (ITS#899)
On Tue, Nov 21, 2000 at 09:06:01PM +0000, Kurt@openldap.org wrote: > The patch includes code based upon Samba 2.0.7. Samba license > is such that we cannot accept code derived from Samba. I > suggest you look for a public domain or non-restrictive > implementation of the borrowed code. You could likely write > such code from scratch. ...or get the original author to allow it to be licensed under the OpenLDAP License. -- -----------=======-=-======-=========-----------=====------------=-=------ / Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \ ` bcollins@debian.org -- bcollins@openldap.org -- bcollins@linux.com ' `---=========------=======-------------=-=-----=-===-======-------=--=---'
Date: Tue, 21 Nov 2000 20:54:10 -0800 To: bcollins@debian.org From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> Subject: Re: lanmanager hash algorithm (ITS#899) Cc: openldap-its@OpenLDAP.org
At 03:55 AM 11/22/00 +0000, bcollins@debian.org wrote: >On Tue, Nov 21, 2000 at 09:06:01PM +0000, Kurt@openldap.org wrote: >> The patch includes code based upon Samba 2.0.7. Samba license >> is such that we cannot accept code derived from Samba. I >> suggest you look for a public domain or non-restrictive >> implementation of the borrowed code. You could likely write >> such code from scratch. > >...or get the original author to allow it to be licensed under the >OpenLDAP License. To clarify this option, if the original author provide a copy under a less restrictive license, this copy would be acceptable. Given that only a simple routine which implements (what I assume is) a publicly documented algorithm, implementation from scratch might actually be easier than attempting to sort out who the original author of the samba code actual is. Kurt
Date: Wed, 22 Nov 2000 16:46:58 +0100 From: Norbert Klasen <klasen@zdv.uni-tuebingen.de> To: openldap-its@OpenLDAP.org Subject: Re: lanmanager hash algorithm (ITS#899)
This is a multi-part message in MIME format. --------------181FCB38E408D921D1872536 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Hi Kurt, > The patch includes code based upon Samba 2.0.7. Samba license > is such that we cannot accept code derived from Samba. I > suggest you look for a public domain or non-restrictive > implementation of the borrowed code. You could likely write > such code from scratch. Ok, I found a reliable source (rfc2433) and wrote the str_to_key funktion myself. I also used hash_lanman in chk_lanman to avoid some redundancy. You might want to strip the included parts of rfc2422. -- = Norbert Klasen DFN Directory Services tel: +49 7071 29 70335 ZDV, Universit=E4t T=FCbingen fax: +49 7071 29 591= 2 W=E4chterstr. 76, 72074 T=FCbingen http://www.directory.dfn.=/ de Germany norbert.klasen@zdv.uni-tuebingen.de --------------181FCB38E408D921D1872536 Content-Type: text/plain; charset=us-ascii; name="lmhash2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="lmhash2.patch" --- ../OPENLDAP_HEAD/libraries/liblutil/passwd.c Wed Oct 18 11:53:53 2000 +++ libraries/liblutil/passwd.c Wed Nov 22 16:08:57 2000 @@ -22,6 +22,10 @@ #include <ac/stdlib.h> #include <ac/string.h> +#ifdef SLAPD_LMHASH +# include <openssl/des.h> +#endif /* SLAPD_LMHASH */ + #ifdef SLAPD_SPASSWD # include <sasl.h> #endif @@ -95,6 +99,13 @@ const struct berval *passwd, const struct berval *cred ); +#ifdef SLAPD_LMHASH +static int chk_lanman( + const struct pw_scheme *scheme, + const struct berval *passwd, + const struct berval *cred ); +#endif + #ifdef SLAPD_SPASSWD static int chk_sasl( const struct pw_scheme *scheme, @@ -141,6 +152,12 @@ const struct pw_scheme *scheme, const struct berval *passwd ); +#ifdef SLAPD_LMHASH +static struct berval *hash_lanman( + const struct pw_scheme *scheme, + const struct berval *passwd ); +#endif + #ifdef SLAPD_CRYPT static struct berval *hash_crypt( const struct pw_scheme *scheme, @@ -156,6 +173,10 @@ { {sizeof("{SMD5}")-1, "{SMD5}"}, chk_smd5, hash_smd5 }, { {sizeof("{MD5}")-1, "{MD5}"}, chk_md5, hash_md5 }, +#ifdef SLAPD_LMHASH + { {sizeof("{LANMAN}")-1, "{LANMAN}"}, chk_lanman, hash_lanman }, +#endif /* SLAPD_LMHASH */ + #ifdef SLAPD_SPASSWD { {sizeof("{SASL}")-1, "{SASL}"}, chk_sasl, NULL }, #endif @@ -569,6 +590,19 @@ return rc ? 1 : 0; } +#ifdef SLAPD_LMHASH +static int chk_lanman( + const struct pw_scheme *scheme, + const struct berval *passwd, + const struct berval *cred ) +{ + struct berval *hash; + + hash = hash_lanman( scheme, cred ); + return memcmp( &hash->bv_val[scheme->name.bv_len], passwd->bv_val, 32); +} +#endif /* SLAPD_LMHASH */ + #ifdef SLAPD_SPASSWD #ifdef HAVE_CYRUS_SASL sasl_conn_t *lutil_passwd_sasl_conn = NULL; @@ -1010,6 +1044,126 @@ return pw_string64( scheme, &digest, NULL ); ; } + +#ifdef SLAPD_LMHASH +/* pseudocode from RFC2433 + * A.2 LmPasswordHash() + * + * LmPasswordHash( + * IN 0-to-14-oem-char Password, + * OUT 16-octet PasswordHash ) + * { + * Set UcasePassword to the uppercased Password + * Zero pad UcasePassword to 14 characters + * + * DesHash( 1st 7-octets of UcasePassword, + * giving 1st 8-octets of PasswordHash ) + * + * DesHash( 2nd 7-octets of UcasePassword, + * giving 2nd 8-octets of PasswordHash ) + * } + * + * + * A.3 DesHash() + * + * DesHash( + * IN 7-octet Clear, + * OUT 8-octet Cypher ) + * { + * * + * * Make Cypher an irreversibly encrypted form of Clear by + * * encrypting known text using Clear as the secret key. + * * The known text consists of the string + * * + * * KGS!@#$% + * * + * + * Set StdText to "KGS!@#$%" + * DesEncrypt( StdText, Clear, giving Cypher ) + * } + * + * + * A.4 DesEncrypt() + * + * DesEncrypt( + * IN 8-octet Clear, + * IN 7-octet Key, + * OUT 8-octet Cypher ) + * { + * * + * * Use the DES encryption algorithm [4] in ECB mode [9] + * * to encrypt Clear into Cypher such that Cypher can + * * only be decrypted back to Clear by providing Key. + * * Note that the DES algorithm takes as input a 64-bit + * * stream where the 8th, 16th, 24th, etc. bits are + * * parity bits ignored by the encrypting algorithm. + * * Unless you write your own DES to accept 56-bit input + * * without parity, you will need to insert the parity bits + * * yourself. + * * + * } + */ + +static struct berval *hash_lanman( + const struct pw_scheme *scheme, + const struct berval *passwd ) +{ + static void lmPasswd_to_key(const unsigned char *lmPasswd, des_cblock *key) + { + /* make room for parity bits */ +
Date: Wed, 22 Nov 2000 18:15:54 +0100 From: Norbert Klasen <klasen@zdv.uni-tuebingen.de> To: openldap-its@OpenLDAP.org Subject: Re: lanmanager hash algorithm (ITS#899)
Upps, ITS doesn't seem to take mime messages very well, so I also uploaded the patch: ftp://ftp.openldap.org/incoming/norbert.klasen-20001122-lmhash.patch -- Norbert Klasen DFN Directory Services tel: +49 7071 29 70335 ZDV, Universit.t T.bingen fax: +49 7071 29 5912 W.chterstr. 76, 72074 T.bingen http://www.directory.dfn.de/ Germany norbert.klasen@zdv.uni-tuebingen.de
Date: Wed, 22 Nov 2000 11:25:01 -0800 To: klasen@zdv.uni-tuebingen.de From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> Subject: Re: lanmanager hash algorithm (ITS#899) Cc: openldap-its@OpenLDAP.org
Committed. At 05:15 PM 11/22/00 +0000, klasen@zdv.uni-tuebingen.de wrote: >Upps, ITS doesn't seem to take mime messages very well, so I also >uploaded the patch: >ftp://ftp.openldap.org/incoming/norbert.klasen-20001122-lmhash.patch > >-- >Norbert Klasen >DFN Directory Services tel: +49 7071 29 70335 >ZDV, Universit.t T.bingen fax: +49 7071 29 5912 >W.chterstr. 76, 72074 T.bingen http://www.directory.dfn.de/ >Germany norbert.klasen@zdv.uni-tuebingen.de
______________© Copyright 2001, OpenLDAP Foundation, info@OpenLDAP.org
