4

I have inherited a number of EC2 instances with Centos that authenticate users against AWS Directory Service through LDAP. Now I need to run some manual queries with ldapsearch using the same account to debug some authentication problems. However the password is encrypted in the config, like this:

[sssd]
domains = LDAP
services = nss, pam

[domain/LDAP]
id_provider = ldap
cache_credentials = True

ldap_schema = AD
ldap_uri = ldaps://...
ldap_search_base = ...
ldap_default_bind_dn = ...
ldap_default_authtok = AAAQAB3QDeZ7+...cBSpT0ZABu4AAQID
ldap_default_authtok_type = obfuscated_password

Is there any way to decrypt / de-obfuscate the ldap_default_authtok? I don't want to change it in AD because it's being used on many servers.

KeepLearning
  • 665
  • 7
  • 10

3 Answers3

9

I happened to write a small script that decrypts these passwords about a year ago.

Interestingly the SSS developers went to great lengths with the obfuscation algorithm, using AES-256 for example, yet in the end it's still easily decipherable because they bundle the randomly generated encryption key in the encoded string. Weird.

I put it on GitHub for you: https://github.com/mludvig/sss_deobfuscate

Usage is simple:

$ ./sss_deobfuscate AAAQABagVAjf9KgUyIxTw3A+HUfbig7N1+L0qtY4xAULt2GYHFc1B3CBWGAE9ArooklBkpxQtROiyCGDQH+VzLHYmiIAAQID
Decoded password: Passw0rd

Hope that helps :)

MLu
  • 24,849
  • 5
  • 59
  • 86
  • I created a python package (library and cli) that solves this task and added answer below with additional details. https://github.com/jteppinette/python-sssd-ldap-auth – Joshua Taylor Eppinette Mar 30 '22 at 19:03
3

@MLu's answer will get the job done but I'll add some commentary.

It's a shame the devs called the methods encrypt() and decrypt() since they do no such thing.

If you look at the source for the python module (src/python/pysss.c) there is a pysss.password.decrypt() method but it is surrounded by #if 0..#endif. If those (and the corresponding #if 0..#endif around the c-python linkage) are removed and the source is recompiled decrypt() can be called. E.g.:

import pysss

password = 'swordfish'
print(password)

obfobj = pysss.password()
obfpwd = obfobj.encrypt(password, obfobj.AES_256)
print(obfpwd)

decrypted_password = obfobj.decrypt(obfpwd)
print(decrypted_password)
Mark Wagner
  • 18,019
  • 2
  • 32
  • 47
1

https://github.com/jteppinette/python-sssd-ldap-auth

I created a python package based on @MLu's work.

Install

$ pip install sssdldapauth

Usage

CLI

$ sssdldapauth deobfuscate <obfuscated_password>
<password>

Library

from sssdldapauth import deobfuscate

password = deobfuscate("<obfuscated_password>")
Joshua Taylor Eppinette
  • 111
  • 2