How to de-obfuscate sssd.conf password?
I have inherited a number of EC2 instances with Centos that authenticate users against AWS Directory Service through LDAP. Now I need to run some manual queries with ldapsearch using the same account to debug some authentication problems. However the password is encrypted in the config, like this:
[sssd]
domains = LDAP
services = nss, pam
[domain/LDAP]
id_provider = ldap
cache_credentials = True
ldap_schema = AD
ldap_uri = ldaps://...
ldap_search_base = ...
ldap_default_bind_dn = ...
ldap_default_authtok = AAAQAB3QDeZ7+...cBSpT0ZABu4AAQID
ldap_default_authtok_type = obfuscated_password
Is there any way to decrypt / de-obfuscate the ldap_default_authtok? I don't want to change it in AD because it's being used on many servers.
Solution 1:
I happened to write a small script that decrypts these passwords about a year ago.
Interestingly the SSS developers went to great lengths with the obfuscation algorithm, using AES-256 for example, yet in the end it's still easily decipherable because they bundle the randomly generated encryption key in the encoded string. Weird.
I put it on GitHub for you: https://github.com/mludvig/sss_deobfuscate
Usage is simple:
$ ./sss_deobfuscate AAAQABagVAjf9KgUyIxTw3A+HUfbig7N1+L0qtY4xAULt2GYHFc1B3CBWGAE9ArooklBkpxQtROiyCGDQH+VzLHYmiIAAQID
Decoded password: Passw0rd
Hope that helps :)
Solution 2:
@MLu's answer will get the job done but I'll add some commentary.
It's a shame the devs called the methods encrypt() and decrypt() since they do no such thing.
If you look at the source for the python module (src/python/pysss.c) there is a pysss.password.decrypt() method but it is surrounded by #if 0..#endif. If those (and the corresponding #if 0..#endif around the c-python linkage) are removed and the source is recompiled decrypt() can be called. E.g.:
import pysss
password = 'swordfish'
print(password)
obfobj = pysss.password()
obfpwd = obfobj.encrypt(password, obfobj.AES_256)
print(obfpwd)
decrypted_password = obfobj.decrypt(obfpwd)
print(decrypted_password)