...
- generate a random 16-byte salt
- feeds the salt plus password into our PBKDF2 function, which applies a hash (HMAC-SHA1) 10,000 times, yielding a a 32-byte hash
- concatenates salt and hash, and base64-encodes them
...
Incidentally you can generate such a hash using Python:
Code Block |
---|
$ sudo pip3 install passlib
$ python3 -c 'from passlib.hash import atlassian_pbkdf2_sha1; print(atlassian_pbkdf2_sha1.hash("hunter2"));'
{PKCS5S2}sFaqFaJUijGG0FqLUQrhPOEXrxB7jrXI7lzkPstbM3bhPq7x8rSS+Q3NtSduIgwt |
If you have a commercial Jira license, you can also download the source at https://my.atlassian.com and take a look (unpack dependencySources/atlassian-password-encoder-*-sources.jar
and look at DefaultPasswordEncoder and PKCS5S2PasswordHashGenerator).
...
OpenLDAP's PBKDF2 Support
OpenLDAP supports PBKDF2 with the help of a module. The problem is that its format is differentHere is how to generate a hash from the command-line:
slappasswd -o module-load=pw-pbkdf2.la -h {PBKDF2} -s hunter2
{PBKDF2}10000$wf6MXP0w8pxfQXKqDWCK1g$O3Vb3KDkFcmTqBCZU0w97XlELFc
The format is:
{PBKDF2}<Iteration>$<Adapted Base64 Salt>$<Adapted Base64 DK>
Although Atlassian's {PKCS5S2} and OpenLDAP's {BPKDF2} are really the same thing, the format is a bit different. Our job is to convert from Atlassian's to OpenLDAP's.
This is not hard. Look at OpenLDAP's format again:
{PBKDF2}<Iteration>$<Adapted Base64 Salt>$<Adapted Base64 DKDK>
We know the iteration count (10000). We know the salt, and we . We know the hash (derived key). We just need to reorder the elements.
...
Code Block |
---|
function atlassian_to_pbkdf2()
{
ab64encode() { python3 -c 'import sys; from passlib.utils.binary import *; print(ab64_encode(sys.stdin.buffer.read()).decode("utf-8"))'; }
local credential="$1"
credential="${credential#'{PKCS5S2}'}"
salt="$(echo -n "$credential" | base64 -d | head -c16 | ab64encode)"
hash="$(echo -n "$credential" | base64 -d | tail -c32 | ab64encode)"
printf "Salt: %s\n" "$salt"
printf "Hash: %s\n" "$hash"
printf "{PBKDF2}%d$%s$%s" 10000 "$salt" "$hash" | head -c64
echo
} |
...