cancel
Showing results for 
Search instead for 
Did you mean: 

Use sha256 for password file authentication

jlucid
Contributor

Currently I am using the -u flag on startup to authenticate users, where the password file contains the sha1 hash of their plain text passwords, the sha1 being generated using -33!.

Is it possible to switch out the sha1 for a sha256 algorithm instead, given that I have a loaded a sha256 function from a shared library?

 

 

1 ACCEPTED SOLUTION

davidcrossey
Moderator Moderator
Moderator

I don't believe sha256 is supported with -u/-U, however you could instead perhaps use .z.pw to carry out custom validation to the effect of:

  1. Read your user:sha256 file in the callback when a connection attempt is made
  2. Convert the plain text password from the user to sha256
  3. Validate the user with 1b (success) or 0b (failure)

References:

View solution in original post

2 REPLIES 2

davidcrossey
Moderator Moderator
Moderator

I don't believe sha256 is supported with -u/-U, however you could instead perhaps use .z.pw to carry out custom validation to the effect of:

  1. Read your user:sha256 file in the callback when a connection attempt is made
  2. Convert the plain text password from the user to sha256
  3. Validate the user with 1b (success) or 0b (failure)

References:

Thanks David, yes I was thinking the same, using .z.pw to basically do what I imagine -u is doing 7nder the hood. I just didn't want to be writing the logic for comparing the users plain text password. Currently with -u, it has the advantage that the logic which does that comparison is inaccessible, so it's a bit more secure. But if there is no way to overwrite the -33! then defining a .z.pw is the only way to go.