Difference between revisions of "Freeside:1.9:Documentation:Administration:svc acct: password encoding"

From Freeside
Jump to: navigation, search
(New page: = Introduction = The svc_acct._password_encoding field specifies the encoding of passwords in the svc_acct._password field. Password encodings specify a format for storing a password alo...)
 
Line 2: Line 2:
  
 
The svc_acct._password_encoding field specifies the encoding of passwords in the svc_acct._password field.  Password encodings specify a format for storing a password along with information about its hash method (crypt/MD5/blowfish/etc.), if any.  Password encodings do not represent a single, specific hash method each; instead, they tell you  how the hash method and encrypted string are stored.
 
The svc_acct._password_encoding field specifies the encoding of passwords in the svc_acct._password field.  Password encodings specify a format for storing a password along with information about its hash method (crypt/MD5/blowfish/etc.), if any.  Password encodings do not represent a single, specific hash method each; instead, they tell you  how the hash method and encrypted string are stored.
 +
 +
This functionality is new in 1.9.
  
 
= Encodings =
 
= Encodings =
Line 7: Line 9:
 
== crypt ==
 
== crypt ==
  
 +
Typically used when importing hashed passwords from an /etc/shadow file or a system that uses the same encoding.
 +
 +
Common crypt encodings:
  
 +
* Classic DES crypt: exactly 13 base-64 encoded characters, like from an old /etc/passwd or /etc/shadow file
 +
* MD5: "$1$" followed by 22 base-64 encoded characters, like from a more modern /etc/shadow file.
 +
* Blowfish "$2$" or "$2a$" followed by base-64 encoded characters, like from a /etc/shadow file on a blowfish-capable system.
  
 
== ldap ==
 
== ldap ==
  
* RFC2017
+
Typically used when importing hashed passwords from an LDAP database or a system that uses the same encoding.
 +
 
 +
Common LDAP encodings.
 +
 
 +
* Plaintext: "{PLAIN}" followed by the plaintext password (also: "{CLEARTEXT}").
 +
* Crypt: "{CRYPT}" followed by a crypt string as per above (but usually only classic DES crypt).
 +
* MD5: "{MD5}" followed by the MD5 digest.
 +
* SHA1: "{SHA}" followed by the SHA-1 digest.
 +
 
 +
== plain ==
 +
 
 +
* Password is explicitly plaintext, with no encoding, and can be any length.
  
 
== None/legacy ==
 
== None/legacy ==
  
= Acknowledgements =
+
If svc_acct._password_encoding is NULL or empty, legacy (1.7) encoding is assumed:
 +
 
 +
* "*" "!" and "!!" mean that no login is allowed.
 +
* Anything else under 13 characters is a plaintext password
 +
* Exactly 13 characters is DES crypted
 +
* Starting with "$1$" is MD5
 +
* Starting with "$2$" or "$2a$" is Blowfish (support incomplete; if self-service login is required, store Blowfish passwords with "crypt" encoding instead).
 +
* Anything else unrecognized.
 +
 
 +
= See also  =
  
Freeside uses Authen::Passphrase for password handling, and many details in this documentation are taken from.  See the [http://search.cpan.org/dist/Authen-Passphrase/lib/Authen/Passphrase.pm Authen::Passphrase docuementation].
+
* Freeside uses Authen::Passphrase for password handling, and many details in this documentation are lifted from there.  See the [http://search.cpan.org/dist/Authen-Passphrase/lib/Authen/Passphrase.pm Authen::Passphrase docuementation].
 +
* [http://www.ietf.org/rfc/rfc2307.txt RFC 2307]

Revision as of 01:29, 30 September 2009

Introduction

The svc_acct._password_encoding field specifies the encoding of passwords in the svc_acct._password field. Password encodings specify a format for storing a password along with information about its hash method (crypt/MD5/blowfish/etc.), if any. Password encodings do not represent a single, specific hash method each; instead, they tell you how the hash method and encrypted string are stored.

This functionality is new in 1.9.

Encodings

crypt

Typically used when importing hashed passwords from an /etc/shadow file or a system that uses the same encoding.

Common crypt encodings:

  • Classic DES crypt: exactly 13 base-64 encoded characters, like from an old /etc/passwd or /etc/shadow file
  • MD5: "$1$" followed by 22 base-64 encoded characters, like from a more modern /etc/shadow file.
  • Blowfish "$2$" or "$2a$" followed by base-64 encoded characters, like from a /etc/shadow file on a blowfish-capable system.

ldap

Typically used when importing hashed passwords from an LDAP database or a system that uses the same encoding.

Common LDAP encodings.

  • Plaintext: "{PLAIN}" followed by the plaintext password (also: "{CLEARTEXT}").
  • Crypt: "{CRYPT}" followed by a crypt string as per above (but usually only classic DES crypt).
  • MD5: "{MD5}" followed by the MD5 digest.
  • SHA1: "{SHA}" followed by the SHA-1 digest.

plain

  • Password is explicitly plaintext, with no encoding, and can be any length.

None/legacy

If svc_acct._password_encoding is NULL or empty, legacy (1.7) encoding is assumed:

  • "*" "!" and "!!" mean that no login is allowed.
  • Anything else under 13 characters is a plaintext password
  • Exactly 13 characters is DES crypted
  • Starting with "$1$" is MD5
  • Starting with "$2$" or "$2a$" is Blowfish (support incomplete; if self-service login is required, store Blowfish passwords with "crypt" encoding instead).
  • Anything else unrecognized.

See also