[RADIATOR] suggested hash algorithm for passwords in text files

Hartmaier Alexander alexander.hartmaier at t-systems.at
Mon Jan 13 10:26:29 CST 2014


On 2014-01-13 17:17, Heikki Vatiainen wrote:
> On 01/10/2014 03:15 PM, Hartmaier Alexander wrote:
>
>> As MD5 isn't recommended these days and we don't want to use some
>> vendor/product specific algorithm like the mysql or mssql ones I'm
>> looking for something like SHA256 or better.
>> Digest::SHA is a required module since version 4.10 but it's sha256 and
>> sha512 methods seem to be unused currently.
> That is correct, there is no {...} format for SHA-256 or SHA-512.
> However, crypt(3) formats are available, and if you run Linux with
> recent enough libc (2.7 or later) you can do this to create user mikem
> with password fred:
>
> % mkpasswd --method=SHA-512 --salt=SaltForFred fred
> $6$SaltForFred$emRLnSZatjAN8vGAwg5hJJ2IVbiM.ai0DwNOStp0TPfc0I9IgZ6hc4F00DefzvacVz9ftd7WU0GY7yMrQ7FY00
>
> % echo 'mikem
> User-Password=$6$SaltForFred$emRLnSZatjAN8vGAwg5hJJ2IVbiM.ai0DwNOStp0TPfc0I9IgZ6hc4F00DefzvacVz9ftd7WU0GY7yMrQ7FY00'
>>> users-file
> mkpasswd command comes with the whois package on Debian and Ubuntu
> systems. The salt is specified for example only, the command can create
> its own salts and does so by default.
>
> mkpasswd creates a password hash in the format that is compatible with
> /etc/shadow. Radiator then uses crypt() to check if the hash matches the
> submitted password.
>
>> I've tried using Encrypted-Password = "{SHA}" but thats Netscape SHA and
>> seems to be incompatible with SHA1.
> You can use goodies/sha.pl and goodies/ssha.pl to generate SHA and SSHA
> (Salted SHA) hashes. These are SHA1 only and the format is: Base64
> encoded hash value followed by 0 or more bytes of salt where 0 bytes
> means no salt is used.
>
> The command line utilities produced hex ouput so that's why it's not
> possible to use e.g. sha1sum output directly here.
>
> Thanks,
> Heikki
>
Thanks for the infos Heikki!
Are they included in the reference manual and I missed them? The section
that describes the different available password hashes would be a great
place to add them right next to the particular algorithm.

Are the crypt SHA-512 hashes portable to other OS Radiator runs on? I'd
prefer a hash that's checked using a portable Perl module like
Digest::SHA so I'm not depending on the OS.


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*


More information about the radiator mailing list