You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Emmanuel Lecharny <el...@gmail.com> on 2007/07/09 14:21:45 UTC
Re: HI
Hi Srinath,
hopefully, there is no way to get the password from its encrypted form
: this would be a major security breach !
If you have lost your password, there is no other solution than
changing it. If you have lost the admin password, then the only way to
change it is to modify the server.xml file, and to restart the server.
You have to understand that the encyption used for passwords is a one
way algorithm : you can encypt a password, but not decrypt it (only
two-ways algorithms allows such behavior, and it would be a _very bad_
idea to use such an algorithm for passwords...)
Emmanuel
On 7/9/07, seetha srinath <se...@yahoo.co.in> wrote:
> Hi ,
> Iam srinath
> Presently working on ApacheDS ,i had a problem ,i.e, i want to get the userpassword from the directory server,iam getting a hash value which is in the form of encryptred ,so how to convert the encrpyted type to string
> can any body help me please
> Regards
> s.srinath
>
> Send free SMS to your Friends on Mobile from your Yahoo! Messenger. Download Now! http://messenger.yahoo.com/download.php
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: HI
Posted by Emmanuel Lecharny <el...@gmail.com>.
Hi,
we don't provide security, we implement mechanisms enforcing a better
security. Whatever system you use, the weakest part of the security chain
will be the one which will be cracked first. Usually, human being is the
weakest element ... Can we fix it ? ;)
Now, to be very clear : you can use any kind of salted and encrypted
password, just _know_ that the password is sent in *clear text* through a
bind request, unless you use LDAPS protocol or SASL.
Emmanuel
On 7/9/07, sgestin@gnt.ch <sg...@gnt.ch> wrote:
>
> Security is a myth :) even with one way algorythm. This is a bit more
> secure but with time hack is always possible. What you can do is delaying
> hacker success. What you can do is monitoring what hackers are doing to
> detect the attack.
>
> With ApacheDS you can replace authentication provider then you can monitor
> password detection here. Is it possible to change search engine?
>
> Stevens
>
>
> [image: Inactive hide details for Hans <hm...@gmail.com>]Hans <
> hmlhdr@gmail.com>
>
>
>
> *Hans <hm...@gmail.com>*
>
> 09.07.2007 16:30 Veuillez répondre à
> users@directory.apache.org
>
>
> A
>
> users@directory.apache.org
> cc
>
>
> Objet
>
> Re: HI
>
> Hi
>
> > hopefully, there is no way to get the password from its encrypted form
> > : this would be a major security breach !
> >
>
> Well actually there is, but you need to do some guesswork ;-)
> http://en.wikipedia.org/wiki/Rainbow_table
> http://www.antsight.com/zsl/rainbowcrack/
> http://rainbowtables.shmoo.com/
>
> Don't know if the password hash in ApacheDS is salted, though.
>
> The password hash should not be possible to extract or query by other
> means
> than backup, not through a query.
>
> If you are allowed to do a search like
> $ ldapsearch -b o=some.root -s sub 'userPassword="{md5}
> b4b5835f03bd6748e0cc25790d6f3498"' dn
> it would render you all objects with the attribute userPassword equal to
> "the secret password", which may not be such a good idea.
>
> iPlanet DS 4.x allowed searches on ueserPassword attribute with
> directory manager privs
> I found out. Have not tested if this works with ApacheDS.
>
> /h
> ---
> Hans
> mailto:hmlhdr@gmail.com <hm...@gmail.com>
>
>
>
>
>
>
> DISCLAIMER : This email and any files transmitted with it, including
> replies and forwarded copies (which may contain alterations) subsequently
> transmitted from the sender, are confidential and solely for the use of the
> intended recipient. The contents do not represent the opinion of the sender
> except to the extent that it relates to their official business.
>
>
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: HI
Posted by Emmanuel Lecharny <el...@gmail.com>.
Hi,
On 7/9/07, Hans <hm...@gmail.com> wrote:
> Well actually there is, but you need to do some guesswork ;-)
> http://en.wikipedia.org/wiki/Rainbow_table
> http://www.antsight.com/zsl/rainbowcrack/
> http://rainbowtables.shmoo.com/
what I meant is that it's not a *feature* to be able to retrieve a
password from its crypted form, it's a hack. Sadly, too many passwords
are too easy to guess ...
>
> Don't know if the password hash in ApacheDS is salted, though.
We support SHA, MD5 and there salted forms. We also support {crypt}
>
> The password hash should not be possible to extract or query by other
> means
> than backup, not through a query.
If you use Apache Directory Studio, then you can get the password as
text. If your password is something as simple as 'System', 'JamesBond'
or 'X007', then any of the listed tools will be able to crack it in a
few seconds ...
>
> If you are allowed to do a search like
> $ ldapsearch -b o=some.root -s sub 'userPassword="{md5}
> b4b5835f03bd6748e0cc25790d6f3498"' dn
> it would render you all objects with the attribute userPassword equal to
> "the secret password", which may not be such a good idea.
>
> iPlanet DS 4.x allowed searches on ueserPassword attribute with
> directory manager privs
> I found out. Have not tested if this works with ApacheDS.
It would be a good idea to forbid users to do such searches in ADS. I
now realize how bad is it to allow anyone to get everyone passwords
... Can you fill a JIRA ?
Thanks !
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: HI
Posted by sg...@gnt.ch.
Security is a myth :) even with one way algorythm. This is a bit more
secure but with time hack is always possible. What you can do is delaying
hacker success. What you can do is monitoring what hackers are doing to
detect the attack.
With ApacheDS you can replace authentication provider then you can monitor
password detection here. Is it possible to change search engine?
Stevens
Hans
<hmlhdr@gmail.com
> A
users@directory.apache.org
09.07.2007 16:30 cc
Objet
Veuillez répondre Re: HI
à
users@directory.a
pache.org
Hi
> hopefully, there is no way to get the password from its encrypted form
> : this would be a major security breach !
>
Well actually there is, but you need to do some guesswork ;-)
http://en.wikipedia.org/wiki/Rainbow_table
http://www.antsight.com/zsl/rainbowcrack/
http://rainbowtables.shmoo.com/
Don't know if the password hash in ApacheDS is salted, though.
The password hash should not be possible to extract or query by other
means
than backup, not through a query.
If you are allowed to do a search like
$ ldapsearch -b o=some.root -s sub 'userPassword="{md5}
b4b5835f03bd6748e0cc25790d6f3498"' dn
it would render you all objects with the attribute userPassword equal to
"the secret password", which may not be such a good idea.
iPlanet DS 4.x allowed searches on ueserPassword attribute with
directory manager privs
I found out. Have not tested if this works with ApacheDS.
/h
---
Hans
mailto:hmlhdr@gmail.com
DISCLAIMER : This email and any files transmitted with it, including
replies and forwarded copies (which may contain alterations) subsequently
transmitted from the sender, are confidential and solely for the use of the
intended recipient. The contents do not represent the opinion of the sender
except to the extent that it relates to their official business.
Re: HI
Posted by Hans <hm...@gmail.com>.
Hi
> hopefully, there is no way to get the password from its encrypted form
> : this would be a major security breach !
>
Well actually there is, but you need to do some guesswork ;-)
http://en.wikipedia.org/wiki/Rainbow_table
http://www.antsight.com/zsl/rainbowcrack/
http://rainbowtables.shmoo.com/
Don't know if the password hash in ApacheDS is salted, though.
The password hash should not be possible to extract or query by other
means
than backup, not through a query.
If you are allowed to do a search like
$ ldapsearch -b o=some.root -s sub 'userPassword="{md5}
b4b5835f03bd6748e0cc25790d6f3498"' dn
it would render you all objects with the attribute userPassword equal to
"the secret password", which may not be such a good idea.
iPlanet DS 4.x allowed searches on ueserPassword attribute with
directory manager privs
I found out. Have not tested if this works with ApacheDS.
/h
---
Hans
mailto:hmlhdr@gmail.com