Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » How is KWF building SHA-hashes? (Want to import users with PHP-script, how to build SHA-hash?)
  •  
SebiF

Messages: 2
Karma: 0
Send a private message to this user
Hi.

I would like to import a user database regularly by a planned task into Kerio Winroute Firewall.
I've found out that UserDB.cfg contains XML-like structured user information. It is no problem to imitate this by an import script.
However, Kerio builds up SHA-hashes which seem to be salted. I would need the salt algorithm and the salt, which is used, to succeed.

Second problem is, that if I copy an existing user in this file an rename him (and change his UUID somehow), he is also not able to login, however KWF displays him in the user list. My only explanation would be that Kerio uses some part of the user name oder UUID to salt the password-hash.

Thanks in advance.
  •  
Lenif

Messages: 8
Karma: 0
Send a private message to this user
same for me ... no import of user list possible, so do like me, install other firewall ... Kerio loose a lot of customers with this situation ...

Lenif
  •  
ICT and Me

Messages: 936

Karma: 53
Send a private message to this user
Of course not. Come on guys. It's a security risk to tell us (users and resellers) how the SHA-hashes working.
The only right solution is that Kerio is making it possible to bulk import through a .cvs or .txt file with the right information. And where control can convert the plain password to SHA password.

ICT and Me
Carlo Turk
The Netherlands
www.ictandme.nl
  •  
Jan Jezek (Kerio)

Messages: 103
Karma: 0
Send a private message to this user
If that's what you want, you can put 'NUL:' instead of 'SHA:' and store the passwords in plaintext.

Jan Jezek
Product Development Manager - Kerio Control
Kerio Technologies
  •  
ICT and Me

Messages: 936

Karma: 53
Send a private message to this user
@ Jan,

Don't understand me wrong. I don't have a problem. I rather use SHA and type the users by hand. No problem with that.
And the most of the time i use Control combined with ADS. So why should i worry. Import or connected to ADS with Control works super.

But I say: Who want to use SHA, use it within Control.
Otherwise the SHA security isnĀ“t secure anymore. Let the algorithme of the SHA by you guys (Kerio). Or put in a request to make tool that can convert/import .csv / .txt into Control with SHA. But not the asking for the algorithme. bbbrrr.

ICT and Me
Carlo Turk
The Netherlands
www.ictandme.nl
  •  
SebiF

Messages: 2
Karma: 0
Send a private message to this user
As I see it, SHA1 is a standard which shouldn't be changed, so that everything stays compatible.
Of course, hashes can be salted, and this is what Kerio does in its database. The problem I see is, that I cannot say which salt Kerio has to take. If I could, I could write an algorithm for importing my users.
That wouldn't impact security more than giving users the chance to import csv.
The admin himself should be able to decide and not to be forced to use Active Directory.

Edit: Nice, that this quite old topic now gets attention Smile. The problem isn't solved by now.

[Updated on: Tue, 23 November 2010 18:46]

  •  
Lenif

Messages: 8
Karma: 0
Send a private message to this user
ictandme wrote on Tue, 23 November 2010 16:15
Of course not. Come on guys. It's a security risk to tell us (users and resellers) how the SHA-hashes working.
The only right solution is that Kerio is making it possible to bulk import through a .cvs or .txt file with the right information. And where control can convert the plain password to SHA password.

100% agree with you but not accepting import of csv list into admin console is not a good idea ! Maybe some kerio developpers can provide a small tools to import csv ?
I want to use a list exported form another application and we don't use active directory for all users ...

Jan Jezek wrote on Tue, 23 November 2010 17:43
If that's what you want, you can put 'NUL:' instead of 'SHA:' and store the passwords in plaintext.

I don't known that we can do that, so thanks I will try it !

Lenif
  •  
Lenif

Messages: 8
Karma: 0
Send a private message to this user
I do some test and now, i can add manually users by adding clear password with NUL: instead of SHA:

One problem is remaining to generate a UUID ... I develop a little tools to add users from a xls file ... If it work correctly, I'll post it ... thanks

[Updated on: Wed, 01 December 2010 09:36]


Lenif
  •  
Lenif

Messages: 8
Karma: 0
Send a private message to this user
I finish my tools and have used it easily to add a lot of users to my winroute test installation ...

I post it here:
http://rapidshare.com/files/448230896/KerioImport.zip

[Updated on: Wed, 16 February 2011 12:56]


Lenif
  •  
iPod

Messages: 1
Karma: 0
Send a private message to this user
Is the above Rapidshare link working?
  •  
Lenif

Messages: 8
Karma: 0
Send a private message to this user
yes for me, use copy paste to open it into your browser

Lenif
Previous Topic: Web Admin Missing Feature
Next Topic: Log User Activity by "MachineName" without requiring login or authentication?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Sep 24 21:24:10 CEST 2017

Total time taken to generate the page: 0.00520 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.