Password hashing programs and scripts
LDAP directories can be configured to accept one-way hashes of passwords. Bravura Pass supports these configurations by providing several standard hash functions: salted and unsalted SHA-1, salted and unsalted MD5, and Unix Crypt (DES). Customized functions are also supported. To use your own hash function:
You must provide a script. This script must be located in the \<instance>\script\ directory.
The name of the script must be passed as an argument in the LDAP target address, as
/script=<script>Within the script, the address KVGroup must contain a "pwhash" = "<program name>" key, where program name is the name of the program containing the hash function. For example:
"pwhash" = "myhashfunctionprogram.exe"Note that the built-in hash functions are wrapped in curly brackets {} . For example:
"pwhash" = "{MD5}"The hash function program must exist in the agent directory, or a fully qualified path must be included in the <program name>. For example:
"pwhash" = "C:\\my\\path\\myhashfunctionprogram.exe"The hash function program must take its input from standard input (stdin), consisting of one line containing three quoted arguments: the user’s long ID, old password, and the new password. For example:
"UID=DBRAR,OU=PEOPLE,DC=PSYNCH,CD=COM" "" "new5Password"Note that the old password can be empty.
The hash function program must print the hashed password to standard output (stdout) exactly as it should be entered into the LDAP password attribute. Ensure that no extraneous characters follow after the password, including line feeds or carriage returns.
You can use the shipped command-line pwdhash program to generate hash.
Considerations:
LDAP still applies any additional encryption, specified by the LDAP password storage scheme (passwordStorageScheme) attribute, to the value output by the plugin.
It is difficult to read from standard input in Win32 batch and Visual Basic scripts.
Use the pwdhash program to hash a password, verify a password or generate a salt. The program accepts arguments and outputs the hashed password on standard output.
Usage
pwdhash.exe <hash|verify|saltgen> <options>
Argument | Description |
|---|---|
hash | Generates a password hash |
verify | Verifies a password against a hash |
saltgen | Generates a salt |
-help | Print out help/usage message and exit |
-v, --version | Print out version and exit |
-encalg <b64—hex> | Encoding algorithm to use |
-hash <hash> | Input hash to verify |
-hashalg <sha256—sha512—sha1—md5> | Hashing algorithm to use |
-password <password> | The password to hash/verify |
-prefix <prefix> | output prefix |
-salt <salt> | The optional salt to use when verifying |
-salt-chars <salt-chars> | Optional character set to use for salt |
-saltlen <saltlen> | Optional length of salt to generate |
Examples
To use pwdhash to generate a password hash with base64 encoding and a SHA1 hashing algorithm, type:
pwdhash.exe hash -encalg b64 -hashalg sha1 -password ThePassword
To generate a password hash with base64 encoding and a SHA512 hashing algorithm:
echo "ThePassword" | pwdhash.exe hash -encalg b64 -hashalg sha512 -prefix {SHA512}