Difference between revisions of "Freeside:1.9:Documentation:Administration:svc acct: password encoding"
(→None/legacy) |
(→crypt) |
||
| Line 14: | Line 14: | ||
* Classic DES crypt: exactly 13 base-64 encoded characters, like from an old /etc/passwd or /etc/shadow file | * Classic DES crypt: exactly 13 base-64 encoded characters, like from an old /etc/passwd or /etc/shadow file | ||
| − | * MD5: | + | * MD5: <code>$1$</code> followed by 22 base-64 encoded characters, like from a more modern /etc/shadow file. |
| − | * Blowfish: | + | * Blowfish: <code>$2$</code> or <code>$2a$</code> followed by base-64 encoded characters, like from a /etc/shadow file on a blowfish-capable system. |
== ldap == | == ldap == | ||
Revision as of 02:32, 30 September 2009
Introduction
The svc_acct._password_encoding field specifies the encoding of the corresponding svc_acct._password field. Password encodings specify a format for storing a password along with information about its hash method (crypt/MD5/blowfish/etc.), if any. Password encodings do not represent a single, specific hash method each; instead, they tell you how the hash method and encrypted string are stored.
This functionality is new in 1.9.
Encodings
crypt
Typically used when importing hashed passwords from an /etc/shadow file or a system that uses the same encoding.
Common crypt encodings:
- Classic DES crypt: exactly 13 base-64 encoded characters, like from an old /etc/passwd or /etc/shadow file
- MD5:
$1$followed by 22 base-64 encoded characters, like from a more modern /etc/shadow file. - Blowfish:
$2$or$2a$followed by base-64 encoded characters, like from a /etc/shadow file on a blowfish-capable system.
ldap
Typically used when importing hashed passwords from an LDAP database or a system that uses the same encoding.
Common LDAP encodings.
- Plaintext: "{PLAIN}" followed by the plaintext password (also: "{CLEARTEXT}").
- Crypt: "{CRYPT}" followed by a crypt string as per above (but usually only classic DES crypt).
- MD5: "{MD5}" followed by the MD5 digest.
- SHA1: "{SHA}" followed by the SHA-1 digest.
plain
- Password is explicitly plaintext, with no encoding, and can be any length.
NULL/empty
If svc_acct._password_encoding is NULL or empty, legacy (1.7) encoding is assumed:
- "*" "!" and "!!" mean that no login is allowed.
- Anything else under 13 characters is a plaintext password
- Exactly 13 characters is DES crypted
- Starting with "$1$" is MD5
- Starting with "$2$" or "$2a$" is Blowfish (support incomplete; if self-service login is required, store Blowfish passwords with "crypt" encoding instead).
- Anything else unrecognized.
See also
- Freeside uses Authen::Passphrase for password handling, and many details in this documentation are lifted from there. See the Authen::Passphrase docuementation.
- RFC 2307
