How can I update a user's password by sending the SHA hash?

[Jefferson Davis]

When I attempt to do this I get an "Invalid Password" error from gam.py

./gam.py update user password {SHA}<base_64_encoded sha1 hash> sha

ERROR: 400: Invalid Password - invalidldapsearch 

What am I doing wrong?  am I sending the hash in the wrong format?

[Jay Lee]

If you only have the SHA-1 hash of a user's password, use a command like:

gam update user m...@email.com password 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 sha1

to send the SHA-1 hash. However, if you have the raw password, just run:

gam update user m...@email.com password rawpassword

as GAM will then hash the raw password you input with the SHA-512 algorithm which is salted and more secure. The only way to get GAM to send the raw password (still over TLS so it's considered secure) is to run:

gam update user m...@email.com password rawpassword nohash

Jay

--
You received this message because you are subscribed to the Google Groups "Google Apps Manager" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/d1a05f71-6e22-424d-a6bc-2e21888efb81%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Jay Lee

[Jefferson Davis]

I found my error...

LDAP is where I'm getting the hash.   It is stored as a base_64 encoded base_64 string, as I understand it.  One has to decode the data as stored in LDAP, which then presents as a string with "{SHA}<base_64 string>".  Next we have to strip the "{SHA}" from that, decode the remainder, and then convert that to a hexadecimal string.

At that point we can pass it using gam.py and it works.  This may be more of an issue of documentation or clarity.

We grab the base64 string out of LDAP, run it through base64 -d, strip the "{SHA}" from the result, then base64 -d the rest and convert the result to hexadecimal using xxd - p

On Monday, January 25, 2016 at 11:27:18 AM UTC-8, Jay Lee wrote:

If you only have the SHA-1 hash of a user's password, use a command like:

gam update user m...@email.com password 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 sha1

to send the SHA-1 hash. However, if you have the raw password, just run:

gam update user m...@email.com password rawpassword

as GAM will then hash the raw password you input with the SHA-512 algorithm which is salted and more secure. The only way to get GAM to send the raw password (still over TLS so it's considered secure) is to run:

gam update user m...@email.com password rawpassword nohash

Jay

On Mon, Jan 25, 2016 at 1:51 PM Jefferson Davis <jda...@standardschools.net> wrote:

When I attempt to do this I get an "Invalid Password" error from gam.py

./gam.py update user password {SHA}<base_64_encoded sha1 hash> sha

ERROR: 400: Invalid Password - invalidldapsearch 

What am I doing wrong?  am I sending the hash in the wrong format?

--
You received this message because you are subscribed to the Google Groups "Google Apps Manager" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.

To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/d1a05f71-6e22-424d-a6bc-2e21888efb81%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Jay Lee

[Jefferson Davis]

This is probably somewhat redundant, but the big takeaway for our end was the determination that OpenLDAP (and probably other ldap directories) store the userPassword attribute as a double-encoded base64 string.  What google/gam.py wants is the fully decoded string in hexadecimal.

it takes the clear text password, sha1 encodes it, then concatenates the encoding method enclosed in curly braces "{SHA}" and the base64-encoded sha1 hash, and base64 encodes the result and stores it in the directory entry.

I have a bash one-liner that reads the attribute from ldap and returns the hex string, if you're at all interested.  If you're not, my feelings will not be injured ;)

-Jeff

--

Jay Lee

--
You received this message because you are subscribed to a topic in the Google Groups "Google Apps Manager" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/xDdjRhQG8G4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.

To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CA%2BVVBp-htqBEdcT%3DnsE5vzisNPwUmzKiU8hQWfA4Wjtwv1JdDg%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Jefferson K Davis 
Director, Technology and Information Systems
Standard School District 
1200 North Chester Ave 
Bakersfield, CA 93308 
661.392.2110 ext 120 (office) 
http://district.standard.k12.ca.us 

District Users:  Click here to report technology issues
"Proper Prior Planning Promotes Peak Performance"

[Bri Hatch]

On Jan 27, 2016 10:45 AM, "Jefferson Davis" <jda...@standardschools.net> wrote:

> I have a bash one-liner that reads the attribute from ldap and returns the hex string, if you're at all interested.  If you're not, my feelings will not be injured ;)

Yes, please share! I was going to write something similar.

[Mark Zottmann]

+1 on sharing

--

Mark Zottmann

Network Administrator

CCSD46

--

You received this message because you are subscribed to the Google Groups "Google Apps Manager" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAE32uS5sVW765sF4v9hcdiwm8x2jZHMjQHq1-UebYhgaHEzVqQ%40mail.gmail.com.

[Jay Lee]

Can you share an example raw entry from LDAP? The easiest solution would probably be to just have GAM add an option like:

gam update user us...@example.com password <raw ldap sha> ldap-sha

which would tell GAM to perform the base64 decoding steps before sending the hash to Google.

Jay

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CABwB6%3Dc-0_Dy9V-PGevngmHQ9Bd89hRzvP1aZ-3Si-0gLBBGaw%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Jay Lee

[Jefferson Davis]

Ok here ya go.  what happens (left to right) pass the result of the grepped and sed-ed ldap search to base64 -d (to perform the first decoding, then strip {SHA}, base64 decode the result, and then use xxd -p to return a hexadecimal value that is palatable to google.

Note - there is no error checking in the event that the account is NOT SHA1 hashed.  It would be "nice" if google was as flexible as my internal systems in terms of supported hashes...

echo -n $( ldapsearch -LLL -x "uid=<uid to search for>" userPassword -D <DN able to view the userPassword attribute> s -w <password of said DN> | grep userPassword | sed 's/userPassword:: //' ) | base64 -d | sed 's/{SHA}//'| base64 -d | xxd -p

--

You received this message because you are subscribed to a topic in the Google Groups "Google Apps Manager" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/xDdjRhQG8G4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAE32uS5sVW765sF4v9hcdiwm8x2jZHMjQHq1-UebYhgaHEzVqQ%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

[Jefferson Davis]

That would be very cool...  FWIW this started as the string "p@ssw0rd" in clear text

stored in LDAP as:  userPassword:: e1NIQX1WN0t0bVFSTk0zR1h3TU9mMDRJMWFQK0I1SW89

then decodes to: {SHA}V7KtmQRNM3GXwMOf04I1aP+B5Io=

the base64 string (minus {SHA} is again decoded to: W��� M3q��ßӂ5h��

which then ends up as the following hex string: 57b2ad99044d337197c0c39fd3823568ff81e48a

Please let me know if you need more information.

-Jeff

--
You received this message because you are subscribed to a topic in the Google Groups "Google Apps Manager" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/xDdjRhQG8G4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.

To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CA%2BVVBp9eu-xjoUp5vAQbge%3DBu1jeDaYYhPq1WZaq6kr43sosKw%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

[Jefferson Davis]

Here's a little bash script for ya

#!/bin/bash

if [ -z $1 ]
then
        echo ""
        echo "usage: sha_to_hex.sh <userid>"
        echo ""
        exit 1
fi

user=$1
DN="cn=manager,dc=standard,dc=k12,dc=ca,dc=us"
pwdfile="/opt/GAM/ldap" # Note this file cannot have any newline chars in it.
echo -n "Checking $user... "
hashed_result=$( echo -n $( ldapsearch -LLL -x "uid=$user" userPassword -D $DN -y $pwdfile | grep userPassword | sed 's/userPassword:: //' ) | base64 -d | sed 's/{SHA}//' | base64 -d | xxd -p )

echo $hashed_result

On Wed, Jan 27, 2016 at 11:12 AM, Bri Hatch <b...@ifokr.org> wrote:

--

You received this message because you are subscribed to a topic in the Google Groups "Google Apps Manager" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/xDdjRhQG8G4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAE32uS5sVW765sF4v9hcdiwm8x2jZHMjQHq1-UebYhgaHEzVqQ%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.