NAME

Authen::Passphrase - hashed passwords/passphrases as objects

SYNOPSIS

use Authen::Passphrase;

$ppr = Authen::Passphrase->from_crypt($passwd);
$ppr = Authen::Passphrase->from_rfc2307($userPassword);

if($ppr->match($passphrase)) { ...

$passphrase = $ppr->passphrase;

$crypt = $ppr->as_crypt;
$userPassword = $ppr->as_rfc2307;

DESCRIPTION

This is the base class for a system of objects that encapsulate passphrases. An object of this type is a passphrase recogniser: its job is to recognise whether an offered passphrase is the right one. For security, such passphrase recognisers usually do not themselves know the passphrase they are looking for; they can merely recognise it when they see it. There are many schemes in use to achieve this effect, and the intent of this class is to provide a consistent interface to them all, hiding the details.

The CPAN package Authen::Passphrase contains implementations of several specific passphrase schemes in addition to the base class.

PASSPHRASE ENCODINGS

Because hashed passphrases frequently need to be stored, various encodings of them have been devised. This class has constructors and methods to support these.

crypt encoding

The Unix crypt() function, which performs passphrase hashing, returns hashes in a textual format intended to be stored in a text file. In particular, such hashes are stored in /etc/passwd (and now /etc/shadow) to control access to Unix user accounts.

For historical reasons, there are several different syntaxes used in this format. The original DES-based password scheme represents its hashes simply as a string of thirteen base 64 digits. An extended variant of this scheme uses nineteen base 64 digits, preceded by an "_" marker. A more general syntax was developed later, which starts the string with "$", a numerical scheme identifier, and another "$".

In addition to actual passphrase hashes, the crypt format can also represent a couple of special cases. The empty string indicates that there is no access control; it is possible to login without giving a passphrase. Finally, any string that is not a possible output of crypt() may be used to prevent login completely; "*" is the usual choice, but other strings are used too.

crypt strings are intended to be used in text files that use colon and newline characters as delimiters. This module treats the crypt string syntax as being limited to ASCII printable characters excluding colon.

The crypt encoding is a poor choice for general encoding of passphrase hashes. It should be used only where required for compatibility.

RFC 2307 encoding

RFC 2307 describes an encoding system for passphrase hashes, to be used in the "userPassword" attribute in LDAP databases. It encodes hashes as ASCII text, and supports several passphrase schemes in an extensible way by starting the encoding with an alphanumeric scheme identifier enclosed in braces. There are several standard scheme identifiers. The "{CRYPT}" scheme allows the use of any crypt encoding.

The RFC 2307 encoding is a good one, and is recommended for storage and exchange of passphrase hashes.

CONSTRUCTORS

Authen::Passphrase->from_crypt(PASSWD)

Returns a passphrase recogniser object matching the supplied crypt encoding.

In the formats below, "b" represents a base 64 digit, "h" represents a hexadecimal digit, and "d" represents a decimal digit. The following formats are understood:

"bbbbbbbbbbbbb": The original DES-based Unix password hash scheme. See Authen::Passphrase::DESCrypt.
"_bbbbbbbbbbbbbbbbbbb": Extended DES-based passphrase hash scheme from BSDi. See Authen::Passphrase::DESCrypt.
"$1$salt$bbbbbbbbbbbbbbbbbbbbbb": A baroque passphrase scheme based on MD5, originating in BSD. See Authen::Passphrase::MD5Crypt.
"$2$dd$bbb...(53)...bbb"
"$2a$dd$bbb...(53)...bbb": Two versions of a passphrase scheme based on Blowfish, originating in BSD. Unimplemented at the time of writing, but if the Authen::Passphrase::BlowfishCrypt module exists at runtime then you might be in luck.
"$3$$hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh": The NT-Hash scheme, which stores the MD4 hash of the passphrase expressed in Unicode. See Authen::Passphrase::NTHash.
"": Accept any passphrase. See Authen::Passphrase::AcceptAll.
"*": To handle historical practice, anything non-empty but shorter than 13 characters is treated as deliberately rejecting all passphrases. (See Authen::Passphrase::RejectAll.) Anything 13 characters or longer that is not recognised as a hash is treated as an error.

Authen::Passphrase->from_rfc2307(USERPASSWORD)

Returns a passphrase recogniser object matching the supplied RFC 2307 encoding. Known schemes:

{CLEARTEXT}: Passphrase stored in cleartext. See Authen::Passphrase::Clear.
{CRYPT}: Any crypt encoding.
{MD5}: The MD5 digest of the passphrase is stored. See Authen::Passphrase::SaltedDigest.
{SHA}: The SHA-1 digest of the passphrase is stored. See Authen::Passphrase::SaltedDigest.
{SMD5}: The MD5 digest of the passphrase plus a salt is stored. See Authen::Passphrase::SaltedDigest.
{SSHA}: The SHA-1 digest of the passphrase plus a salt is stored. See Authen::Passphrase::SaltedDigest.

METHODS

$ppr->match(PASSPHRASE): Checks whether the supplied passphrase is correct. Returns a boolean.
$ppr->passphrase: If a matching passphrase can be easily determined by the passphrase recogniser then this method will return it. This is only feasible for very weak passphrase schemes. The method dies if it is infeasible.
$ppr->as_crypt: Encodes the passphrase recogniser in crypt format and returns the encoded result. dies if the passphrase recogniser cannot be represented in this form.
$ppr->as_rfc2307: Encodes the passphrase recogniser in RFC 2307 format and returns the encoded result. dies if the passphrase recogniser cannot be represented in this form.

SUBCLASSING

This class is designed to be subclassed, and cannot be instantiated alone. Any subclass must implement the match method. That is the minimum required.

Subclasses should implement the as_crypt and as_rfc2307 methods wherever possible, with the following exception. If a passphrase scheme has a crypt encoding but no native RFC 2307 encoding, so it can be RFC 2307 encoded only by using the "{CRYPT}" scheme, then as_rfc2307 should not be implemented by the class. There is a default implementation of the as_rfc_2307 method that uses "{CRYPT}" automatically for passphrase schemes that do not have a native RFC 2307 encoding.

Implementation of the passphrase method is entirely optional. It should be attempted only for schemes that are so ludicrously weak as to allow passphrases to be cracked reliably in a short time. Dictionary attacks are not appropriate implementations.

AUTHOR

Andrew Main (Zefram) <zefram@fysh.org>

COPYRIGHT

This module is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

To install Authen::Passphrase, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Authen::Passphrase

CPAN shell

perl -MCPAN -e shell
install Authen::Passphrase

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)