I was doing a typo3 upgrade from version 7 to 10. But got stuck with the fe users login section. Read in the documentation as salted passwords will automatically gets converted to argon2i hash values. This works for be users correctly. I have got a custom extension, where I will check whether the plaun text password is same as that of the password hash value in the database. My code is
if ($settings['feUserPid'] == $user['pid']) {
$mode = 'FE';
$success = GeneralUtility::makeInstance(PasswordHashFactory::class)
->getDefaultHashInstance($mode)
->checkPassword($request->getArgument('password'), $user['password']);
}
Even if the password is correct, the value of $success is always FALSE. The passwords in the database is not argon2i hash value.
How can I fix this problem? Has anyone faced an issue like this?
It's a while ago for me but I used
$hashInstance = GeneralUtility::makeInstance(PasswordHashFactory::class)->getDefaultHashInstance('FE');
$hashedPassword = $hashInstance->getHashedPassword($x);
Your method should work. Did you verify the setting of [FE][passwordHashing][className] in the installtool?
Related
I have completed login functionality using Auth middleware where is used a Bcrypt encryption method. Login functionality is works fine. But we need to handle set password functionality with having old password need to validate. But everytime Bcrypt method change the password string so the previous store bcrypt string of password in table is not match with the manually enter password in the set password form. So how to validate old password field if it will not match with existing saved passoword in the table.
$credentials = request(['email', 'password']);
$user=Auth::attempt($credentials);
You are using Laravel so you should use Hash in order to deal with passwords.
Here is all you need to know about it: https://laravel.com/docs/6.x/hashing#basic-usage
In short you can create and verify the passwords in following ways:
Create hashed password to store in DB:
$hashedPassword = Hash::make($request->password);
Verify against existing password
if (Hash::check('entered-password-by-user', $hashedPassword)) {
// The passwords match...
}
Of course dont forget to include Hash facade: use Illuminate\Support\Facades\Hash;
md5 is ancient and very vulnerable way to go if you want to hash your passwords with it. It is HIGHLY DISCOURAGED!
I wanted to give Bareos (Open Source Data Protection) a go to see how it works and performs. However I cannot even get past the basic installation and get it working...
I followed the following installation tutorial (several times now): https://www.svennd.be/installing-bareos-on-centos-7/
But I am getting every time the following error: Sorry, can not authenticate. Wrong username and/or password.
I don't understand what I am doing wrong. I even tried using the previous version of Bareos 16.2, but that didn't make a difference and I experience the same issue. I am 200% sure the password and username are correct.
I also consulted the logs:
17-Mar 13:00 bareos-dir JobId 0: Fatal error: Authorization key rejected by Console USERNAME.
Please see http://doc.bareos.org/master/html/bareos-manual-main-reference.html#AuthorizationErrors for help.
17-Mar 13:00 bareos-dir: ERROR in authenticate.c:283 Unable to authenticate console "USERNAME" at client:127.0.0.1:9101
I checked that page (also several times) and even made sure the (user)names/passwords were correct. But still I get the message "Sorry, can not authenticate. Wrong username and/or password." when I try to login on "bareos-webui".
Probably I am doing something wrong, but I cannot disover what.
I have the following files available. Maybe I need to make certain changes to those as well?
/etc/bareos/bareos-dir.d/director/bareos-dir.conf
/etc/bareos/bareos-fd.d/director/bareos-dir.conf
/etc/bareos/bareos-sd.d/director/bareos-dir.conf
/etc/bareos/bconsole.conf
/etc/bareos/bareos-sd.d/storage/bareos-sd.conf
/etc/bareos/bareos-dir.d/client/bareos-fd.conf
/etc/bareos/bareos-dir.d/job/backup-bareos-fd.conf
When I compared some files, they have different passwords in them?
For example: /etc/bareos/bareos-fd.d/director/bareos-dir.conf
Director {
Name = bareos-dir
Password = "J36zN1mQVF5lLA/FP0kASo+X9wTo8D988nsVqZjx"
Description = "Allow the configured Director to access this file daemon."
}
And /etc/bareos/bareos-sd.d/director/bareos-dir.conf
Director {
Name = bareos-dir
Password = "PAU/ov3RvnFp0I59brd4d8u9m8ejRpkVE7P/4Qz3"
Description = "Director, who is permitted to contact this storage daemon."
}
And (one more example): /etc/bareos/bconsole.conf
# Bareos User Agent (or Console) Configuration File
Director {
Name = bareos-dir
address = localhost
Password = "Fs5JnyO1ypBhcR0D9CNkx3gynPMa+jmp7sj9Ghst"
Description = "Bareos Console credentials for local Director"
}
They all have different passwords here? As I understand it, from the online docs, they should all be the same, right?
Maybe that's the issue? Hopefully someone can explain things a bit better or advice me what to do in order to get this working... Maybe it's something simple that I may overlooked?
FYI: I whitelisted all IP's and ports I use on this server.
//small edit
I re-read the documents once again and it says: "The default configuration files are automatically defined for correct authorization with random passwords. If you add to or modify these files, you will need to take care to keep them consistent."
So if I didn't change a thing, it should have worked in the first place, right? So I think something else is wrong here?
Well I finally found the issue...
Apparently my username or password was to difficult for Bareos to accept.
Don't know exactly which one it was, but either username or password caused issues.
I used as a username something like:
BCKPserver
And the password I used was similar to:
!!!!RNDpassW222####
For some reason Bareos saved the password (in the console) and was displayed correctly in the configuration files, HOWEVER it didn't allow me to login on the bareos-webui!
Solved. Hopefully this will help someone else.
I am setting up openLDAP for one of my Java applications. Usernames and passwords are stored in openLDAP and users are able to update their passwords via the application (using the javax.naming.directory API'). I imported our users from our existing Sun Directory Server into openLDAP. Import was successfull and passwords were encrypted in SSHA format. I noticed that when i update a password from the application, it stores it in 'Plain Text' format. I can unhide the password when i view it via Apache Directory Studio. A lot of googling later, i tried setting the "password-hash {SSHA}" in the slapd.conf file and that didn't help me either. I am on a windows environment. I am passing the password to openLDAP in plain text format. There is no encryption going on in the code. I know i can encrypt it in the application but i would prefer openLDAP to do it for me. Please let me know if i can do anything on the openLDAP side.
This is the JAVA code i use today to modify passwords. This has been working fine in our existing environment for the past 7 years.
ModificationItem[] newAttribs = new ModificationItem[1];
Attribute passwordAttrib = new BasicAttribute(DirectoryConstants.USER_PASSWORD, password);
ModificationItem passwordItem = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, passwordAttrib);
newAttribs[0] = passwordItem;
.....
DirContext ctx = this.getContext();
ctx.modifyAttributes( DirectoryConstants.USER_UID + "=" + userId + "," + ou, newAttribs);
So, the default password hash format in openldap is SSHA, which is nice.
Unfortunately, the default password policy in openldap is 'do not enforce password hashing'.
You will want to add an overlay to the database you're storing users in.
In the cn=config version, this looks like, approximately:
dn: olcOverlay={X}ppolicy,olcDatabase={Y}bdb,cn=config
objectClass: olcPPolicyConfig
olcOverlay: {X}ppolicy
olcPPolicyHashCleartext: TRUE
(where Y is your database number in cn=config, X is the overlay number you want it to be)
The slapd.conf version is similar, you need an:
overlay ppolicy
ppolicy_hash_cleartext
entry, inside the relevant database definition (you don't need to provide a value for ppolicy_hash_cleartext, presence indicates TRUE).
Using Apache mod_auth_basic and mod_authn_dbd you can authenticate a user by looking up that user's password in the database. I see that working if the password is held in clear, but what if we use a random string as a salt (also stored in the database) then store the hash of the concatenation?
mod_authn_dbd requires you to specify a query to select that password not to decide if the user is authenticated of not. So you cannot use that query to concatenate the user provided password with the salt then compare with the stored hash.
AuthDBDUserRealmQuery "SELECT password FROM authn WHERE user = %s AND realm = %s"
Is there a way to make this work?
Looking at the Password Formats for Basic Auth it seemed that I could make this work if the hash is done using the apr_md5_encode function.
Found another question that relates to this and links to a Java implementation. I used that implementation with a small change to calculate the database hash inside my website normal user-creation flow. After this i could use mod_authn_dbd with this query:
AuthDBDUserRealmQuery "SELECT CONCAT('$apr1$',password_salt,'$',password_hash) FROM users WHERE user = %s AND realm = %s"
this is my code, it works, except for the passwords, how would I fix this? I know I should do something with md5 but I couldn't get found solutions to work with my code. I really need to make this right and safe, please assist
//get the posted values
$username=htmlspecialchars($_POST['user_name'],ENT_QUOTES);
$password=htmlspecialchars($_POST['password'],ENT_QUOTES);
$check_for_username = $mysqli->query("SELECT username FROM q4jli_users WHERE username='$username' AND password=MD5('$password')");
if (mysqli_num_rows($check_for_username)) {
echo "yes";
} else {
echo "no";
}
Thanks in advance
MD5 is outdated and no longer a sufficient method of password encryption. You should investigate salted hashes using more modern encryption algorithims.
food for thought:
bcrypt
First of all, you need to make sure that a user's password is encrypted into the database with MD5. If not, then you can use this code:
$mysqli->query("INSERT INTO q4jli_users (username, password) VALUES ('$username', MD5('$password'))");
Then, when seeing if a user enters the correct password, you need to encrypt it to MD5 and then run a query in the database:
$check_for_username = $mysqli->query("SELECT username FROM q4jli_users WHERE username='$username' AND password=MD5('$password')");