Use Base64.strict_encode64 and SSHA256 #303
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Base64.encode64 adds \n every 60 encoded chars. This was originally an encoding mechanism for sending binary content in e-mail, where the line length is limited. For passwords we dont want this. cf https://stackoverflow.com/questions/2620975/strange-n-in-base64-encoded-string-in-ruby
|
maybe this is like the pull #201 |
|
Is there any movement to get this added (or to get #201 added)? Only having support for ssha password creation is starting to be a blocker for our org as our security team is now requiring stronger passwords in our LDAP env. Our openLDAP deployment supports all the way up to ssha512, but we are unable to use the net-ldap gem to set passwords with this level of encryption. |
HarlemSquirrel
approved these changes
Jul 9, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
in the default ruby implementation :
Base64:encode64,\nis inserted every 60 encoded characters. It is legal according to the RFC 2045 and was done for sending binary content in e-mail, where the line length is limited.cf https://stackoverflow.com/questions/38370512/stub-random-value-in-rspec-with-secure-random
When we are using only ruby it works fine. If you are using another stack (like Spring security in java), it often uses the RFC 4648 that does not allow non ascii characters.
We cannot see it with SSHA (or others algorithms in ruby-ldap) as the salt + the hash is less than 60 chars. But if we implement longer hashes like SSHA256, there are
\nthat are inserted.With strict_encode64 we don't need to chomp.