Re: shisa API for setting password in plaintext

help-shishi

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: shisa API for setting password in plaintext

From:	Simon Josefsson
Subject:	Re: shisa API for setting password in plaintext
Date:	Wed, 22 Mar 2006 10:11:05 +0100
User-agent:	Gnus/5.110004 (No Gnus v0.4) Emacs/22.0.50 (gnu/linux)

Elrond <address@hidden> writes:

> [Simon asked me to post here]
>
> Hi Simon and everybody else,
>
> I'm currently considering to integrate shisa with
> Samba-TNG.
> So that kerberos passwords get sync'd, when people change
> their windows password, and to get the windows passwords
> from the kerberos db ("arcfour" are windows style).

Hi Elrond!  Thanks for posting here; I'm trying to move all Shishi
related discussions to this so far too quiet list.

> What I'm missing for the first task mostly is some API in
> libshisa, that accepts (realm, principal, password-in-utf8)
> and sets the password.

Currently you'll have to do things in two steps: first convert the
password to a kerberos key using shishi_key_from_string() and then set
the key through shisa with shisa_key_add() or possibly
shisa_key_update().

See src/shisa.c for an example.  You'll have to compute the salt
yourself, e.g. like this:

      Shisa_key * dbkey;

          char *p;
          asprintf (&salt, "%s%s", realm, principal);

          /* FIXME: Parse principal/realm and create proper salt. */
          while ((p = strchr (salt, '/')))
            memmove (p, p + 1, strlen (p));

          rc = shishi_key_from_string (sh, etype,
                                       passwd, strlen (passwd),
                                       salt, salt ? strlen (salt) : 0,
                                       str2keyparam, &key);

      dbkey->etype = etype;
      dbkey->key = shishi_key_value (key);
      dbkey->keylen = shishi_key_length (key);
      dbkey->salt = salt;
      dbkey->saltlen = salt ? strlen (salt) : 0;
      dbkey->str2keyparam = str2keyparam;
      dbkey->str2keyparamlen = str2keyparamlen;
      dbkey->password = passwd;

      rc = shisa_key_add (dbh, realm, principal, dbkey);

Given that deriving the salt is non-trivial, I agree that there should
be some helper API that does this step for you (and even does it
correctly as well, a proper principal parser exists in libshishi).
However, the above should get you going.

> I guess, the API will be needed by kpasswdd once anyway?
> And shisa (cmdline tool) could use it instead of doing it
> by hand.

Yes.

> The next important question, when that API (will) exist,
> is:
> How can I force "arcfour" from the app layer into that api?
> Or am I supposed just to add/replace that specific etype by
> hand?

This is possible above, simply specify the etype parameter in
shishi_key_from_string to SHISHI_ARCFOUR_HMAC.

Hope this helps,
Simon

[Prev in Thread]

Current Thread

[Next in Thread]

shisa API for setting password in plaintext, Elrond, 2006/03/21
- Re: shisa API for setting password in plaintext, Simon Josefsson <=
  - Re: shisa API for setting password in plaintext, Elrond, 2006/03/22
    - Re: shisa API for setting password in plaintext, Simon Josefsson, 2006/03/27
    - Re: shisa API for setting password in plaintext, Elrond, 2006/03/22
    - Re: shisa API for setting password in plaintext, Simon Josefsson, 2006/03/22
    - Re: shisa API for setting password in plaintext, Elrond, 2006/03/22
    - Re: shisa API for setting password in plaintext, Simon Josefsson, 2006/03/23
    - Re: shisa API for setting password in plaintext, Elrond, 2006/03/27
    - Re: shisa API for setting password in plaintext, Simon Josefsson, 2006/03/23
    - Re: shisa API for setting password in plaintext, Elrond, 2006/03/23

Prev by Date: shisa API for setting password in plaintext
Next by Date: Debian package issues
Previous by thread: shisa API for setting password in plaintext
Next by thread: Re: shisa API for setting password in plaintext
Index(es):
- Date
- Thread