MD5 hash to /etc/shadow MD5 crypt() conversion

Wed, 31 Dec 2008 16:45:28 -0800 

Hello,

I need convert LDAP accounts to passwd/shadow. Problem is password
conversion: from LDAP DB I obtain some as (I know that plain password
is string "heslo"):

userPassword:: e01ENX1sVjJ3dUI3eG1KdEtUZjZ1Z0dHcHBnPT0=

value is base-64 encoded, thus real value is:

echo -n "e01ENX1sVjJ3dUI3eG1KdEtUZjZ1Z0dHcHBnPT0="|base64 -d
{MD5}lV2wuB7xmJtKTf6ugGGppg==

which is same value as obtained from:

slappasswd -h {MD5} -s "heslo"
{MD5}lV2wuB7xmJtKTf6ugGGppg==

and was evaluated via PHP script aka:

echo '<? $A=base64_encode(pack("H*",md5("heslo"))); echo $A;?>' | php
lV2wuB7xmJtKTf6ugGGppg==

It is simple to obtain full 128-bit hex MD5 hash by reverting this:

echo '<? $A=unpack("H*",base64_decode("lV2wuB7xmJtKTf6ugGGppg==")); echo 
$A[1];?>'|php
955db0b81ef1989b4a4dfeae8061a9a6

Result is right, as may be validated by:

echo -n "heslo"|md5sum
955db0b81ef1989b4a4dfeae8061a9a6
echo -n "heslo"|openssl dgst -md5 -hex
955db0b81ef1989b4a4dfeae8061a9a6

But now, how convert it to form used in /etc/shadow? "Normal" shadow
password entry has form "$1$" "salt(usually 8 chars)" "$" "22chars digest".
I was in hope this may be done with empty salt, as generated with cmd:

openssl passwd -1 -salt "" "heslo"
$1$$1dziKo9JPNdLlVrGfqIBG.

This is quite valid /etc/shadow password value and authentication work
fine with it, but how convert LDAP md5 hash to this form? Both have 22chars:
lV2wuB7xmJtKTf6ugGGppg          # LDAP base-64 value
1dziKo9JPNdLlVrGfqIBG.          # MD5 crypt() value

but are different. I found on Internet mail from Mr. Howard Chu:
http://www.redhat.com/archives/fedora-directory-users/2006-April/msg00141.html
where is stated:
"base64 uses the characters [A-Z][a-z][0-9]+/ while crypt uses
the characters ./[0-9][A-Z][a-z] (in those exact orders)."

But things are probably more difficult then I imagined, simple conversion
in style:

CRYPT_HASH=`echo "$BASE64_HASH"|tr 'A-Za-z0-9+/' './0-9A-Za-z'`

not work.

Is this problem ever solvable?
Is idea of empty salt real, and problem is only in conversion between
6-bit DES crypt() encoding and base-64 encoding?
Have someone any knowledge about this?

Thanks in advance. Sorry for my English.
Frantisek Hanzlik
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [email protected]

Reply via email to