Difference between revisions of "Freeside:1.9:Documentation:Administration:svc acct: password encoding"

From Freeside
Jump to: navigation, search
(ldap)
(NULL/empty)
 
(2 intermediate revisions by the same user not shown)
Line 36: Line 36:
 
If svc_acct._password_encoding is NULL or empty, legacy (1.7) encoding is assumed:
 
If svc_acct._password_encoding is NULL or empty, legacy (1.7) encoding is assumed:
  
* "*" "!" and "!!" mean that no login is allowed.
+
* <code>*</code>, <code>!</code> or <code>!!</code> means that no login is allowed.
 
* Anything else under 13 characters is a plaintext password
 
* Anything else under 13 characters is a plaintext password
 
* Exactly 13 characters is DES crypted
 
* Exactly 13 characters is DES crypted
* Starting with "$1$" is MD5  
+
* Starting with <code>$1$</code> is MD5  
* Starting with "$2$" or "$2a$" is Blowfish (support incomplete; if self-service login is required, store Blowfish passwords with "crypt" encoding instead).
+
* Starting with <code>$2$</code> or <code>$2a$</code> is Blowfish (support incomplete; if self-service login is required, store Blowfish passwords with "crypt" encoding instead).
 
* Anything else unrecognized.
 
* Anything else unrecognized.
  

Latest revision as of 01:34, 30 September 2009

Introduction

The svc_acct._password_encoding field specifies the encoding of the corresponding svc_acct._password field. Password encodings specify a format for storing a password along with information about its hash method (crypt/MD5/blowfish/etc.), if any. Password encodings do not represent a single, specific hash method each; instead, they tell you how the hash method and encrypted string are stored.

This functionality is new in 1.9.

Encodings

crypt

Typically used when importing hashed passwords from an /etc/shadow file or a system that uses the same encoding.

Common crypt encodings:

  • Classic DES crypt: exactly 13 base-64 encoded characters, like from an old /etc/passwd or /etc/shadow file
  • MD5: $1$ followed by 22 base-64 encoded characters, like from a more modern /etc/shadow file.
  • Blowfish: $2$ or $2a$ followed by base-64 encoded characters, like from a /etc/shadow file on a blowfish-capable system.

ldap

Typically used when importing hashed passwords from an LDAP database or a system that uses the same encoding.

Common LDAP encodings.

  • Plaintext: {PLAIN} followed by the plaintext password (also: {CLEARTEXT}).
  • Crypt: {CRYPT} followed by a crypt string as per above (but usually only classic DES crypt).
  • MD5: {MD5} followed by the MD5 digest.
  • SHA1: {SHA} followed by the SHA-1 digest.

plain

  • Password is explicitly plaintext, with no encoding, and can be any length.

NULL/empty

If svc_acct._password_encoding is NULL or empty, legacy (1.7) encoding is assumed:

  • *, ! or !! means that no login is allowed.
  • Anything else under 13 characters is a plaintext password
  • Exactly 13 characters is DES crypted
  • Starting with $1$ is MD5
  • Starting with $2$ or $2a$ is Blowfish (support incomplete; if self-service login is required, store Blowfish passwords with "crypt" encoding instead).
  • Anything else unrecognized.

See also

Retrieved from "http://freeside.biz/mediawiki/index.php?title=Freeside:1.9:Documentation:Administration:svc_acct:_password_encoding&oldid=5301"