Using either the phpass test program http://www.openwall.com/phpass/phpass-0.3.tar.gz , or python-phpass, and using C?*|Y[j"KQ'%gf for the plain text password, and $P$9kS6tD8tVxajypvJ5837.bt2emepD8/ as the hash, doing:
<?php
#
# This is a test program for the portable PHP password hashing framework.
#
# Written by Solar Designer and placed in the public domain.
# See PasswordHash.php for more information.
#
require 'PasswordHash.php';
header('Content-type: text/plain');
$t_hasher = new PasswordHash(8, FALSE);
$correct2 = 'C?*|Y[j"KQ\'%gf';
$hash2 = '$P$9kS6tD8tVxajypvJ5837.bt2emepD8/';
print 'Hash: [' . $hash2 . "]\n";
print 'correct: [' . $correct2 . "]\n";
$check = $t_hasher->CheckPassword($correct2, $hash2);
if ($check)
{
print "Check IF THIS WORKScorrect: '" . $check . "' (should be '1')\n";
}
else
{
print "IT FAILED!!!!!!!!\n\n\n";
}
?>
The hash was from phpBB3 (3.0.10), and when I supply that password to phpBB3, it does work correctly.
phpBB3 is supposed to be using phpass itself, doing $H$ instead of $P$.
The database entry in phpBB3 for this example is:
qlc4pi000000";0;"127.0.0.1";1351902499;"testpass";"testpass";"$H$9kS6tD8tVxajypvJ5837.bt2emepD8/";1351902499;0;"tp#inva.lid.com";266402289712;"''";1351902544;1351902499;0;"''";"''";0;0;0;0;0;0;0;"en";0.00;0;"D M d, Y g:i a";2;0;"''";0;0;0;0;-3;0;0;"t";"d";0;"t";"a";0;1;0;1;1;1;1;230271;"''";0;0;0;"''";"''";"''";"''";"''";"''";"''";"''";"''";"''";"''";"''";"''";"''";"bf4ae169a5a21313";1;0;0
The plain text password used in phpBB3 is [C?*|Y[j"KQ'%gf] and the hash (converted from phpBB3 format is [$P$9kS6tD8tVxajypvJ5837.bt2emepD8/] (both password & hash are between the [])
Can anyone shed some light on what is going on, and why this doesn't work with phpass ?
This is on the same machine that the forums are on, and again, it does work on the phpBB3 forums, so I can login fine. It just I can't authenticate with phpass externally when I access the phpBB3 database directly. It does work on other accounts though, it is only certain accounts it fails on.
Turns out the issue is, phpBB3 converts the password to use html escape codes.
Now, once the password is converted, it matches the hash stored in phpBB3.
The phpBB3 most likely applies PHP function htmlspecialchars (with no flags) to the password.
This fact noted by phpBoing was also noticed in discussion of question https://stackoverflow.com/a/12543884/1148030 .
The nonstandard identifier $H$ is useful. When $H$ is present implementation can know to apply escaping to support phpBB3.
Related
In Gforge, when a new user tries to log in; the user is automatically registered by fetching data from LDAP. It works fine for other users but one particular user is not able to log in and gets the error LDAP Authentication failed: Invalid Credentials . I don't understand what could be the issue? Could you please help?
This is the search function I am using.
ldap_bind($ldap, $dn, $pw)
$dn = ldap_get_dn($ldap, $entry);
$entry = ldap_first_entry($ldap,$res);
$res=ldap_search($ldap, $sys_ldap_base,$sys_ldap_id_attribute . '=' . $id,
array());
If it works for some users but not for one specific user, then it's something to do with the LDAP configuration, or with the characters in that user's ID or pwd.
Is the failing user in a different org/OU? Do they have accent characters in their username or password? These things can cause compatibility issues between GForge and the LDAP server.
Does this user have a much longer user name than other users? There is a GForge config setting called "usernameregex" that governs the complexity and length of allowed user names. Even though LDAP logins result in automatic account creation, the validation of the user's unix name might fail due to the regex in place. The error noted above could certainly be the catch-all message when this happens.
The default setting is "^[a-z0-9_.-]{3,15}$". You can change the upper length limit by changing the 15 to something else. The unix_name field in the GForge database is TEXT, so it can be extremely long (1GB?).
In GForge 6.3.x and earlier, you can find that setting in /etc/gforge/gforge.conf. Change the value and then update the system using:
cd /opt/gforge/bin && php create_config_cache.php
In GForge 6.4 and later, you can use the gf-config utility to set the value. It will take effect right away:
/opt/gforge/bin/gf-config set "usernameregex" "new regex value"
I am setting up openLDAP for one of my Java applications. Usernames and passwords are stored in openLDAP and users are able to update their passwords via the application (using the javax.naming.directory API'). I imported our users from our existing Sun Directory Server into openLDAP. Import was successfull and passwords were encrypted in SSHA format. I noticed that when i update a password from the application, it stores it in 'Plain Text' format. I can unhide the password when i view it via Apache Directory Studio. A lot of googling later, i tried setting the "password-hash {SSHA}" in the slapd.conf file and that didn't help me either. I am on a windows environment. I am passing the password to openLDAP in plain text format. There is no encryption going on in the code. I know i can encrypt it in the application but i would prefer openLDAP to do it for me. Please let me know if i can do anything on the openLDAP side.
This is the JAVA code i use today to modify passwords. This has been working fine in our existing environment for the past 7 years.
ModificationItem[] newAttribs = new ModificationItem[1];
Attribute passwordAttrib = new BasicAttribute(DirectoryConstants.USER_PASSWORD, password);
ModificationItem passwordItem = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, passwordAttrib);
newAttribs[0] = passwordItem;
.....
DirContext ctx = this.getContext();
ctx.modifyAttributes( DirectoryConstants.USER_UID + "=" + userId + "," + ou, newAttribs);
So, the default password hash format in openldap is SSHA, which is nice.
Unfortunately, the default password policy in openldap is 'do not enforce password hashing'.
You will want to add an overlay to the database you're storing users in.
In the cn=config version, this looks like, approximately:
dn: olcOverlay={X}ppolicy,olcDatabase={Y}bdb,cn=config
objectClass: olcPPolicyConfig
olcOverlay: {X}ppolicy
olcPPolicyHashCleartext: TRUE
(where Y is your database number in cn=config, X is the overlay number you want it to be)
The slapd.conf version is similar, you need an:
overlay ppolicy
ppolicy_hash_cleartext
entry, inside the relevant database definition (you don't need to provide a value for ppolicy_hash_cleartext, presence indicates TRUE).
I am migrating from Joomla 1.5 to WordPress and my client does not want users to have to re-register. So I am writing a WordPress plugin to match a user's password with what's in the jos_users table and then update their info in WordPress accordingly.
Everything I have read so far for Joomla's password authentication points me to the getCryptedPassword function:
http://docs.joomla.org/API15:JUserHelper/getCryptedPassword
My plugin is encrypting what the user enters the same way:
$db_password = explode(':', $query); //what's in the password field of jos_users
$salt = $db_password[1];
$string_to_be_hashed = $user_entered_pass . $salt;
$test_pass = md5($string_to_be_hashed);
$test_pass = $test_pass . ":" . $salt;
if($test_pass = query){echo "success"}
I have tested 3 accounts using this...but only 2 are authenticating.
Specifically: md5($password$salt):$salt != database password value
In the database, the password value for the account it is not working for appears to have used the same encryption and in the same format ([md5hash]:salt). I know the password is correct because I can login into the client's site with it.
In addition, I ran a search on the entire Joomla codebase for the getCryptedPassword function. In all cases, no explicit encryption method is sent - both the code and the documentation indicate that md5 is used by default.
Can anyone think of any places I should look for alternative encryption possibilities?
I have no idea where else to look or why this particular user account appears to be encrypting differently.
In Joomla Standards The encryption handles like as follow.
jimport('joomla.user.helper');
$salt = JUserHelper::genRandomPassword(32);
$crypt = JUserHelper::getCryptedPassword($password_choose, $salt);
$password = $crypt.':'.$salt;
You can run the compare thing in a separate file by loading entire joomla framework to a single file in root.
define( '_JEXEC', 1 );
define('JPATH_BASE', dirname(__FILE__) );//this is when we are in the root
define( 'DS', DIRECTORY_SEPARATOR );
require_once ( JPATH_BASE .DS.'includes'.DS.'defines.php' );
require_once ( JPATH_BASE .DS.'includes'.DS.'framework.php' );
$mainframe =& JFactory::getApplication('site');
$mainframe->initialise();
Also you cannot decrypt the Joomla password.If you know the password (original text) Then try with wordpress password fromat .
Hope this may helps..
Currently my job is to hide the username and password from being displayed when we passing the value to icewarp webmail. The previous developer passing the value like below :
Header("refresh:0;url=http://sample-icewarp.com/webmail/index.html?!#$username:$password");
and it redirect user to icewarp webmail, but with username and password displayed on address bar for split seconds. But on slow connection, it give enough time to read and memorize it.
I am planning to work with base64 encoding. But i am confuse, do i need to make icewarp decode as well?
I am not programming expert, working as IT technical support. This has become my part of job.
From googling, i found this sample code of base64 encoding :
$data = /* some data */;
$base64Data = base64_encode($data);
$urlData = urlencode($base64Data);
$htmlData = htmlspecialchars($urlData);
printf('<input type="hidden" value="%s" name="pass-it-on">', $htmlData);
How do i edit this thing to make it redirect to icewarp webmail?
Why dont you use external login (see icewarp/html/webmail/client/_external)? It would use AFAIK the RSA login icewarp has. Or SSO...
Using Apache mod_auth_basic and mod_authn_dbd you can authenticate a user by looking up that user's password in the database. I see that working if the password is held in clear, but what if we use a random string as a salt (also stored in the database) then store the hash of the concatenation?
mod_authn_dbd requires you to specify a query to select that password not to decide if the user is authenticated of not. So you cannot use that query to concatenate the user provided password with the salt then compare with the stored hash.
AuthDBDUserRealmQuery "SELECT password FROM authn WHERE user = %s AND realm = %s"
Is there a way to make this work?
Looking at the Password Formats for Basic Auth it seemed that I could make this work if the hash is done using the apr_md5_encode function.
Found another question that relates to this and links to a Java implementation. I used that implementation with a small change to calculate the database hash inside my website normal user-creation flow. After this i could use mod_authn_dbd with this query:
AuthDBDUserRealmQuery "SELECT CONCAT('$apr1$',password_salt,'$',password_hash) FROM users WHERE user = %s AND realm = %s"