英文:
Compare LDAP Password with another value (ldap3, Python)
问题
我想在Python中使用ldap3实现一个比较函数,可以将用户提供的值与我的ldap条目中存储的密码进行比较。
这在非加盐密码上很容易实现,但我在加盐密码上遇到了困难。
例如,我的ldap条目中存储的密码如下所示:
{SSHA}F5GwOd39wiK+jEKD6UwCs+9XvzvdRYlX
代表了Salted SHA值
testpassword
我不想使用绑定来检查值,因为条目中可能保存了多个密码。绑定只会检查用户提供的值是否确实是其中一个密码,而不是我想要进行比较的密码。
编辑:我想在LDAP编辑器中执行此操作。像我目前使用的LDAP帐户管理器/LAM中已经实现了这样的函数。这个比较不是用于处理某种登录,而是为了让用户自己检查密码是否与他提供的值匹配。
这对于具有多个密码的条目非常理想(是的,这是可能的),并且您必须删除其中一个密码。当然,您可以删除所有值,然后添加回仍要使用的值。在这里,比较将非常方便,因为可以跳过删除每个密码并添加回仍在使用中的密码的步骤。
如果有其他需要澄清的事情,我可以详细说明。
感谢任何帮助!
英文:
I want to implement a comparison-function with ldap3 in Python that can compare a user-given value with a password stored in my ldap-entry.
This is easy to do with non-salted passwords but I'm struggling with salted ones.
For example, the stored password in my ldap-entry looks like this:
{SSHA}F5GwOd39wiK+jEKD6UwCs+9XvzvdRYlX
and represents the Salted SHA value of
testpassword
I do not want to check the value with a bind because there might be more than one password saved in the entry. A bind would only check if the user-given value is indeed one of the passwords, and not the password I want to compare it to.
Edit: I want to do this in a LDAP-Editor. A function like this is already implemented in the LDAP-Editor I'm currently using (LDAP Account Manager / LAM). This comparison is not there to handle a login of some sort, it is there so the user himself can check if the password matches his user-given value.
This would be perfect for entries that have more than one password (yes, that is possible) and you have to delete one of them. Of course you could delete all values and add back the ones you still want to use. A comparison would be handy here because the step of deleting every password and adding all the ones back that are still in use would be skipped.
If there is anything else to clarify, I can elaborate more.
Any help is appreciated!
答案1
得分: 1
LDAP faq-o-matic 解释了如何生成 SSHA 密码哈希。利用这些信息,我们知道如何从 SSHA 密码中提取盐,然后使用相同的盐来哈希我们的测试密码,以查看是否获得相同的摘要:
import sys
import base64
import hashlib
SSHA_TAG = '{SSHA}'
def salt_from_ssha(pw):
if pw.startswith(SSHA_TAG):
pw = pw[len(SSHA_TAG):]
dec = base64.b64decode(pw)
digest, salt = dec[:20], dec[20:]
return digest, salt
def compare_password_with_hashed_password(hashed_password, plaintext_password):
digest, salt = salt_from_ssha(hashed_password)
plaintext_hash = hashlib.sha1(plaintext_password + salt)
return plaintext_hash.digest() == digest
target = sys.argv[1]
while True:
testpw = input("输入测试密码:").encode()
if compare_password_with_hashed_password(target, testpw):
print("你找到了!")
break
运行这个可能会像这样:
$ py hasher.py {SSHA}F5GwOd39wiK+jEKD6UwCs+9XvzvdRYlX
输入测试密码:foo
输入测试密码:bar
输入测试密码:testpassword
你找到了!
英文:
The LDAP faq-o-matic explains how to generate SSHA password hashes). Using that information, we know how to extract the salt from the SSHA password, which then allows us to hash our test password using the same salt to see if we get the same digest:
import sys
import base64
import hashlib
SSHA_TAG = '{SSHA}'
def salt_from_ssha(pw):
if pw.startswith(SSHA_TAG):
pw = pw[len(SSHA_TAG):]
dec = base64.b64decode(pw)
digest, salt = dec[:20], dec[20:]
return digest, salt
def compare_password_with_hashed_password(hashed_password, plaintext_password):
digest, salt = salt_from_ssha(hashed_password)
plaintext_hash = hashlib.sha1(plaintext_password + salt)
return plaintext_hash.digest() == digest
target = sys.argv[1]
while True:
testpw = input("Enter a test password: ").encode()
if compare_password_with_hashed_password(target, testpw):
print("You found it!")
break
Running this might look like:
$ py hasher.py {SSHA}F5GwOd39wiK+jEKD6UwCs+9XvzvdRYlX
Enter a test password: foo
Enter a test password: bar
Enter a test password: testpassword
You found it!
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论