Difference between revisions of "Freeside:1.9:Documentation:Administration:svc acct: password encoding"
From Freeside
(New page: = Introduction = The svc_acct._password_encoding field specifies the encoding of passwords in the svc_acct._password field. Password encodings specify a format for storing a password alo...) |
(→NULL/empty) |
||
| (8 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
= Introduction = | = Introduction = | ||
| − | The svc_acct._password_encoding field specifies the encoding of | + | The svc_acct._password_encoding field specifies the encoding of the corresponding svc_acct._password field. Password encodings specify a format for storing a password along with information about its hash method (crypt/MD5/blowfish/etc.), if any. Password encodings do not represent a single, specific hash method each; instead, they tell you how the hash method and encrypted string are stored. |
| + | |||
| + | This functionality is new in 1.9. | ||
= Encodings = | = Encodings = | ||
| Line 7: | Line 9: | ||
== crypt == | == crypt == | ||
| + | Typically used when importing hashed passwords from an /etc/shadow file or a system that uses the same encoding. | ||
| + | |||
| + | Common crypt encodings: | ||
| + | * Classic DES crypt: exactly 13 base-64 encoded characters, like from an old /etc/passwd or /etc/shadow file | ||
| + | * MD5: <code>$1$</code> followed by 22 base-64 encoded characters, like from a more modern /etc/shadow file. | ||
| + | * Blowfish: <code>$2$</code> or <code>$2a$</code> followed by base-64 encoded characters, like from a /etc/shadow file on a blowfish-capable system. | ||
== ldap == | == ldap == | ||
| − | * | + | Typically used when importing hashed passwords from an LDAP database or a system that uses the same encoding. |
| + | |||
| + | Common LDAP encodings. | ||
| + | |||
| + | * Plaintext: <code>{PLAIN}</code> followed by the plaintext password (also: <code>{CLEARTEXT}</code>). | ||
| + | * Crypt: <code>{CRYPT}</code> followed by a crypt string as per above (but usually only classic DES crypt). | ||
| + | * MD5: <code>{MD5}</code> followed by the MD5 digest. | ||
| + | * SHA1: <code>{SHA}</code> followed by the SHA-1 digest. | ||
| + | |||
| + | == plain == | ||
| + | |||
| + | * Password is explicitly plaintext, with no encoding, and can be any length. | ||
| + | |||
| + | == NULL/empty == | ||
| + | |||
| + | If svc_acct._password_encoding is NULL or empty, legacy (1.7) encoding is assumed: | ||
| − | + | * <code>*</code>, <code>!</code> or <code>!!</code> means that no login is allowed. | |
| + | * Anything else under 13 characters is a plaintext password | ||
| + | * Exactly 13 characters is DES crypted | ||
| + | * Starting with <code>$1$</code> is MD5 | ||
| + | * Starting with <code>$2$</code> or <code>$2a$</code> is Blowfish (support incomplete; if self-service login is required, store Blowfish passwords with "crypt" encoding instead). | ||
| + | * Anything else unrecognized. | ||
| − | = | + | = See also = |
| − | Freeside uses Authen::Passphrase for password handling, and many details in this documentation are | + | * Freeside uses Authen::Passphrase for password handling, and many details in this documentation are lifted from there. See the [http://search.cpan.org/dist/Authen-Passphrase/lib/Authen/Passphrase.pm Authen::Passphrase docuementation]. |
| + | * [http://www.ietf.org/rfc/rfc2307.txt RFC 2307] | ||
Latest revision as of 02:34, 30 September 2009
Introduction
The svc_acct._password_encoding field specifies the encoding of the corresponding svc_acct._password field. Password encodings specify a format for storing a password along with information about its hash method (crypt/MD5/blowfish/etc.), if any. Password encodings do not represent a single, specific hash method each; instead, they tell you how the hash method and encrypted string are stored.
This functionality is new in 1.9.
Encodings
crypt
Typically used when importing hashed passwords from an /etc/shadow file or a system that uses the same encoding.
Common crypt encodings:
- Classic DES crypt: exactly 13 base-64 encoded characters, like from an old /etc/passwd or /etc/shadow file
- MD5:
$1$followed by 22 base-64 encoded characters, like from a more modern /etc/shadow file. - Blowfish:
$2$or$2a$followed by base-64 encoded characters, like from a /etc/shadow file on a blowfish-capable system.
ldap
Typically used when importing hashed passwords from an LDAP database or a system that uses the same encoding.
Common LDAP encodings.
- Plaintext:
{PLAIN}followed by the plaintext password (also:{CLEARTEXT}). - Crypt:
{CRYPT}followed by a crypt string as per above (but usually only classic DES crypt). - MD5:
{MD5}followed by the MD5 digest. - SHA1:
{SHA}followed by the SHA-1 digest.
plain
- Password is explicitly plaintext, with no encoding, and can be any length.
NULL/empty
If svc_acct._password_encoding is NULL or empty, legacy (1.7) encoding is assumed:
-
*,!or!!means that no login is allowed. - Anything else under 13 characters is a plaintext password
- Exactly 13 characters is DES crypted
- Starting with
$1$is MD5 - Starting with
$2$or$2a$is Blowfish (support incomplete; if self-service login is required, store Blowfish passwords with "crypt" encoding instead). - Anything else unrecognized.
See also
- Freeside uses Authen::Passphrase for password handling, and many details in this documentation are lifted from there. See the Authen::Passphrase docuementation.
- RFC 2307
