[sork] passwd and md5 in CVS HEAD

Amith Varghese amith at xalan.com
Tue Dec 17 08:52:51 PST 2002


> > So, I'll put this up for comments again.  My particular concern is that
> > maybe MySQL needs the php md5() whereas ldap wants the other method.  If
> > so, we can simply code it differently for each backend.
> 
> MySQL doesn't do md5() passwords; anything that MySQL itself wants is going
> to be using mysql's password() function. Horde uses the PHP md5() method.
> However, if you were using, say, pam_mysql, you'd probably want the mhash
> method. Anthing OS-based is going to want the mhash method. So, IMHO, it
> should be the default.

I apologize, but when Mike made the last change to passwd, I didn't have time to
upgrade my version of HEAD and test this out.  I slacked a bit on this, sorry. 
I was meaning to try and get it to work but things got a little hectic.

Anyway, I think we have to look at how passwords are normally stored.  I went
ahead and asked what was the difference between the mhash method of md5 hashing
and PHP's on the mhash-devel list.  The response I got was thef following:

bin2hex(mhash(MHASH_MD5, 'a')) == md5('a')

Basically PHP's md5 uses a hex encoding of the binary data from the hash. 
OpenLDAP apparently uses base64 encoding.  Base64 is desirable because it create
4 bytes of output for every three as opposed to hex encoding which produces 2
bytes of output for every one.

However I guess the question is what is the standard.  Apparently there are no
RFCs saying which is preferable, even though searching through countless google
hits I found that people tend to use base64 encoding more than hex encoding when
dealing with passwords.  However, i think the "definition" of what md5 passwords
is definitely variable at best.  The way that OSs use md5 hashing is different
from one another.  I think it can go either way with what is used as the
"default definition" of md5 hashing.  I almost think it might be better to
remove the existing md5 hash type and add two new hashing type/methods called
"md5-hex" and "md5-base64" so people will understand the differences that exist
rather than saying "md5 hashing doesn't work for me".

Another possibility is that we could add a new parameter in backends.php so
people can specify what type of encoding they want to use.  And perhaps if none
is specified we could default it to base64 (which is the encoding used currently
for SHA, SSHA, and SMD5)

Now that i've bored everyone to death, I'd be willing to fix this... just need a
little input from you guys.

Thanks
Amith


More information about the sork mailing list