Commit 1325dff1 authored by ale's avatar ale

Add documentation on the encoding of password fields

parent 66ca475f
Pipeline #4510 passed with stages
in 1 minute and 59 seconds
......@@ -160,8 +160,10 @@ user, with the following attributes:
* `name` is the username
* `email` is the email associated with the user (optional)
* `password` stores the encrypted password
* `password` stores the encrypted password, see *Password Encoding*
below for details on the supported algorithms etc.
* `totp_secret` stores the *unencrypted* TOTP secret seed
(base32-encoded)
* `u2f_registrations` is a list of U2F registrations with `key_handle`
and `public_key` attributes, in the format used by *pamu2fcfg* (for
convenience)
......@@ -209,8 +211,10 @@ LDAP attributes). The following attribute names are defined:
* `password` contains the encrypted password. Since this attribute is
often also used for authentication of the LDAP protocol itself, an
eventual `{crypt}` prefix is ignored. Passwords should be encrypted.
* `otp_secret` should contain the hex-encoded TOTP secret
eventual `{crypt}` prefix is ignored. Passwords should be encrypted,
see *Password Encoding* below for details on the supported
algorithms etc.
* `otp_secret` should contain the base32-encoded TOTP secret
* `app_specific_password` (possibly repeated) contains an encrypted
app-specific password
......@@ -409,3 +413,28 @@ Responses will contain the following attributes:
* `email`: email of this user
* `groups`: groups the user is a member of.
### Password encoding
Multiple password hashing algorithms are supported. The format is the
well-known dollar-separated field string, extended with optional
algorithm-specific parameters:
```
$id[$params...]$salt$encrypted
```
where the optional *params* field is itself a dollar-separated list of
integers.
All *id* values understood by the libc *crypt(3)* function are
supported, as well as a few more custom algorithms:
* Scrypt (id `$s$`), in which case the parameters are *N*, *R* and
*P*.
* Argon2 (id `$a2$`), with parameters *time*, *memory* and
*threads*.
Check the documentation for these algorithms for an explanation of the
meaning of the parameters. Each algorithm has different requirements
for the salt.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment