diff options
| author | Olivier Mehani <shtrom@ssji.net> | 2016-05-21 21:26:26 +1000 |
|---|---|---|
| committer | Olivier Mehani <shtrom@ssji.net> | 2016-05-21 21:26:26 +1000 |
| commit | 13f2781e1f1875a19e702d64df065a8f56cfc7b1 (patch) | |
| tree | ee700f549427d0bb4d7e901c0db4d3840cb80cb2 | |
| parent | 66cf76614c6d91a673e129ae286e75595cc40e79 (diff) | |
Import openldap_passwd.py, from [0], wich ARGV support
[0] https://gist.github.com/rca/7217540
Signed-off-by: Olivier Mehani <shtrom@ssji.net>
| -rwxr-xr-x | openldap_passwd.py | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/openldap_passwd.py b/openldap_passwd.py new file mode 100755 index 0000000..43f8c87 --- /dev/null +++ b/openldap_passwd.py @@ -0,0 +1,64 @@ +#!/usr/bin/env python2 +""" +http://www.openldap.org/faq/data/cache/347.html + +As seen working on Ubuntu 12.04 with OpenLDAP 2.4.28-1.1ubuntu4 + +Author: Roberto Aguilar <roberto@baremetal.io> +""" +import hashlib +import os +import sys + + +def check_password(tagged_digest_salt, password): + """ + Checks the OpenLDAP tagged digest against the given password + """ + # the entire payload is base64-encoded + assert tagged_digest_salt.startswith('{SSHA}') + + # strip off the hash label + digest_salt_b64 = tagged_digest_salt[6:] + + # the password+salt buffer is also base64-encoded. decode and split the + # digest and salt + digest_salt = digest_salt_b64.decode('base64') + digest = digest_salt[:20] + salt = digest_salt[20:] + + sha = hashlib.sha1(password) + sha.update(salt) + + return digest == sha.digest() + + +def make_secret(password): + """ + Encodes the given password as a base64 SSHA hash+salt buffer + """ + salt = os.urandom(4) + + # hash the password and append the salt + sha = hashlib.sha1(password) + sha.update(salt) + + # create a base64 encoded string of the concatenated digest + salt + digest_salt_b64 = '{}{}'.format(sha.digest(), salt).encode('base64').strip() + + # now tag the digest above with the {SSHA} tag + tagged_digest_salt = '{{SSHA}}{}'.format(digest_salt_b64) + + return tagged_digest_salt + + +if __name__ == '__main__': + if len(sys.argv) > 1: + print(make_secret(sys.argv[1])) + else: + # buffer straight out of OpenLDAP + ldap_buf = 'e1NTSEF9VGY1dVFxUkl0VzV2NGowV0RNNXczY2dJd2ZLS0FUcFg=' + print 'ldap buffer result: {}'.format(check_password(ldap_buf, 'foobar')) + + # check that make_secret() above can properly encode + print 'checking make_secret: {}'.format(check_password(make_secret('foobar'), 'foobar')) |
