Versions Compared

Old Version 3

changes.mady.by.user Jeff Turner

Saved on

compared with

New Version 4

changes.mady.by.user Jeff Turner

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • generate a random 16-byte salt
  • feeds the salt plus password into our PBKDF2 function, which applies a hash (HMAC-SHA1) 10,000 times, yielding a a 32-byte hash
  • concatenates salt and hash, and base64-encodes them

...

Incidentally you can generate such a hash using Python:

Code Block
$ sudo pip3 install passlib
$ python3 -c 'from passlib.hash import atlassian_pbkdf2_sha1; print(atlassian_pbkdf2_sha1.hash("hunter2"));'
{PKCS5S2}sFaqFaJUijGG0FqLUQrhPOEXrxB7jrXI7lzkPstbM3bhPq7x8rSS+Q3NtSduIgwt


If you have a commercial Jira license, you can also download the source at https://my.atlassian.com and take a look (unpack dependencySources/atlassian-password-encoder-*-sources.jar and look at DefaultPasswordEncoder and PKCS5S2PasswordHashGenerator).

...

OpenLDAP's PBKDF2 Support

OpenLDAP supports PBKDF2 with the help of a module. The problem is that its format is differentHere is how to generate a hash from the command-line:

slappasswd -o module-load=pw-pbkdf2.la -h {PBKDF2} -s hunter2
{PBKDF2}10000$wf6MXP0w8pxfQXKqDWCK1g$O3Vb3KDkFcmTqBCZU0w97XlELFc

The format is:

{PBKDF2}<Iteration>$<Adapted Base64 Salt>$<Adapted Base64 DK>

Although Atlassian's {PKCS5S2} and OpenLDAP's {BPKDF2} are really the same thing, the format is a bit different. Our job is to convert from Atlassian's to OpenLDAP's.


This is not hard. Look at OpenLDAP's format again:

{PBKDF2}<Iteration>$<Adapted Base64 Salt>$<Adapted Base64 DKDK>

We know the iteration count (10000). We know the salt, and we . We know the hash (derived key). We just need to reorder the elements.

...

Code Block
function atlassian_to_pbkdf2()
{
  ab64encode() { python3 -c 'import sys; from passlib.utils.binary import *; print(ab64_encode(sys.stdin.buffer.read()).decode("utf-8"))'; }
  local credential="$1"
  credential="${credential#'{PKCS5S2}'}"
  salt="$(echo -n "$credential" | base64 -d | head -c16 | ab64encode)"
  hash="$(echo -n "$credential" | base64 -d | tail -c32 | ab64encode)"
  printf "Salt: %s\n" "$salt"
  printf "Hash: %s\n" "$hash"
  printf "{PBKDF2}%d$%s$%s" 10000 "$salt" "$hash" | head -c64
  echo
}

...