Version 0 of ssha

Updated 2019-02-01 22:27:24 by LEG

ssha, or salted sha is a password encryption method for LDAP, see the OpenLDAP Faq-O-Matic page for details.

To create an LDAP SSHA password entry in Tcl do something along the following lines:

package require sha1
proc ldapPasswordStringSSHA clear {
    # return ldap password string from clear, generated with SSHA

    set salt [getSalt 4]
    set salted [sha1::sha1 -bin ${clear}${salt}]
    return "{SSHA}[binary encode base64 ${salted}${salt}]"
}
proc getSalt n {
    # return a random string with length n

    set fd [open /dev/random]
    set salt [read $fd $n]
    close $fd
    return $salt
}

Notes:

  • This example requires Tcllib to be installed
  • base64 encoding is done using Tcl 8.6 features - see base64 for alternatives
  • /dev/random is a magic file on *nix* like operating systems, yielding random bytes when read. Replace with any suitable source of cryptographically strong randomness.
  • OpenLDAP claims that SSHA is defined in RFC 3112, but I could not confirm that. Only SHA is mentioned there.