Richard,Thanks for your reply, but actually I'd like to have passwords stored in a flat file (shadow) while using an ldap server as the central repository. This way ldap (or libnss-ldap) bugs, network issues, and server downtime wouldn't effect client authentication or mail delivery. Since SSHA-1 is the strongest hash openldap currently allows out of the box, I was hoping dumping to a flatfile or two would be as simple as configuring pam to allow it.
I'm considering using this module (http://confluence.atlassian.com/display/JIRAEXT/OpenLDAP+support+for+SHA-2+(SHA-256,+SHA-384,+SHA-512)+and+atlassian-sha1+passwords ) to store SHA2 password in openldap - and SHA2 is supported by pam_unix.
-Chris On Oct 25, 2008, at 11:38 AM, Richard A Nelson wrote:
On Sat, 25 Oct 2008, Chris Hiestand wrote:Is there an out of the box solution to authenticate SHA-1 passwords via pam? And yes, I know SHA-1 is pretty much cryptographically broken, but I would still like to find support for it.Move the user data to LDAP:Operations (RFC 3062). The <hash> must be one of {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. The default is {SSHA}.{SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), thelatter with a seed.{MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the latterwith a seed. {CRYPT} uses the crypt(3).{CLEARTEXT} indicates that the new password should be added touserPassword as clear text. -- Rick Nelson C'mon! political protest! sheesh. Where's that anarchist spirit? ;-) -- Decklin Foster
Attachment:
smime.p7s
Description: S/MIME cryptographic signature