Directory Server 6.1 and Unix Crypt…

Sun Java System Directory Server has supported for many years the ability to hash the userPassword attribute with the crypt(3C) algorithm.

But the crypt function has evolved from the basic standard Unix crypt algorithm (which truncates password to 8 characters) to support MD5, Blowfish and other stronger algorithms.

Until Directory Server 6.1, there was very limited support for those algorithms (it happened that a password hashed with MD5 – outside DS – could be used for authentication, but the server itself would never hash a password this way).

Starting with Directory Server 6.1, there is now a way to tune the CRYPT password storage plugin to specify which crypt algorithm to use, and on Solaris only, it is even possible to delegate the choice of algorithm to the OS via the /etc/security/policy.conf (and the CRYPT_DEFAULT directive).

The way to configure with algorithm is used by the crypt library when hashing a userPassword to store in Directory Server is to add an argument to the "CRYPT password storage" plugin configuration entry.

# dsconf set-plugin-prop CRYPT argument:<Pattern>



where <Pattern> is a choice of (but not limited to):



%.2s – Default unix crypt algorithm (and the default

when no argument is defined)

$1$%.8s – bsd md5

$2a$04$%.22s – Blowfish

$md5$%.8s$ – Sun md5

If <Pattern> maps to an algorithm that is not supported by the OS (for example $2$, old variants of blowfish), then a warning message is logged and the hash will be done using the default Unix algorithm

This guarantee that the password is always hashed even if the configured salt does not match an existing algorithm.

On Solaris only, a special value of "auto" is allowed to specify that CRYPT will use the system’s default mechanism, as configured in /etc/security/policy.conf

Notes:

  • Changing the plugin configuration requires a restart of Directory Server to be taken into account.
  • You should use this new capability carefully, especially in a heterogeneous and replicated environment where some algorithms might not be present or enabled.
  • Make sure that CRYPT is the password Storage mechanism defined in the Password Policy configuration (the default is SSHA).

Example:

> dsconf set-plugin-prop -p 1389 CRYPT ‘argument=$md5$%.8s$’

Enter "cn=Directory Manager" password:

Directory Server must be restarted for changes to take effect.

> dsadm restart /local/demo/ds

> dsconf get-plugin-prop -p 1389 CRYPT

Enter "cn=Directory Manager" password:

argument : $md5$%.8s$

depends-on-named :

depends-on-type :

desc : Unix crypt algorithm (CRYPT)

enabled : on

feature : crypt-password-storage-scheme

init-func : crypt_pwd_storage_scheme_init

lib-path : /opt/SUNWdsee/ds6/lib/pwdstorage-plugin.so

type : pwdstoragescheme

vendor : Sun Microsystems, Inc.

version : 6.2

>

Technorati Tags: , ,

2 thoughts on “Directory Server 6.1 and Unix Crypt…

  1. Darren Moffat 18 September 2007 / 03:26

    Most excellent. I particularly like the "auto" value to delegate to the OS. What does the %.8s and the like after the $<alg>$ mean ?

  2. Ludo 18 September 2007 / 07:20

    The second part of the pattern (after $alg$) represents the size of the salt (and much match the underlying algorighm implementation).
    The %.8s means a string of 8 characters, that will be completely randomized before being used.
    This allows future algorithm to be used without any change in Directory Server, and provides a configuration that is identical to OpenLDAP configuration for the same feature.
    Ludo

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s