Modify

#10689 closed defect (invalid)

Realm not being used for password hash?

Reported by: james Owned by: hasienda
Priority: low Component: AccountManagerPlugin
Severity: normal Keywords: needinfo SessionStore
Cc: rjollos Trac Release: 0.11

Description (last modified by hasienda)

As a test I set the password of my user (james) through the account settings on trac to 'helloworld'. In the database this set the password to ':f4a19cee25aae3fe30d7a319fb7c5144'

I can reproduce this hash like so:

echo -n james::helloworld | md5
f4a19cee25aae3fe30d7a319fb7c5144

However I thought trac would use the realm set in trac.ini to essentially do this:

echo -n james:TracDB:helloworld | md5
8c41eb73b4e4d22f173b2a302d52dfdd

I'm obviously missing something, can anyone see what is it? Here are my account manager settings:

[account-manager]
account_changes_notify_addresses =
hash_method = HtDigestHashMethod
db_htdigest_realm = TracDB
password_store = SessionStore
login_attempt_max_count = 3
user_lock_time = 30
user_lock_time_progression = 1

[components]
acct_mgr.guard.accountguard = enabled
acct_mgr.admin.accountmanageradminpages = enabled
acct_mgr.api.accountmanager = enabled
acct_mgr.db.sessionstore = enabled
acct_mgr.htfile.htdigeststore = enabled
acct_mgr.notification.accountchangelistener = enabled
acct_mgr.notification.accountchangenotificationadminpage = enabled
acct_mgr.pwhash.htdigesthashmethod = enabled
acct_mgr.web_ui.accountmodule = enabled
acct_mgr.web_ui.emailverificationmodule = enabled
acct_mgr.web_ui.loginmodule = enabled
acct_mgr.web_ui.registrationmodule = disabled
acct_mgr.web_ui.resetpwstore = disabled
trac.web.auth.loginmodule = disabled
tracopt.versioncontrol.git.* = enabled

Attachments (0)

Change History (4)

comment:1 Changed 22 months ago by hasienda

  • Description modified (diff)
  • Keywords SessionStore added

reformatting for readability

comment:2 Changed 22 months ago by hasienda

  • Cc rjollos added
  • Keywords needinfo added
  • Trac Release changed from 1.0 to 0.11

What AcctMgr version are you testing?

Your configuration looks like a mix of

  • acct_mgr-0.3 (acct_mgr.web_ui.emailverificationmodule) and
  • acct_mgr-0.4 (db_htdigest_realm).

And from your example hash entry :f4a19cee25aae3fe30d7a319fb7c5144 you can see, that the db_htdigest_realm option is ineffective in your particular setup. So most probably you're running acct_mgr-0.3.x with some options meant for the current plugin version 0.4, and should clean-up and upgrade before going on.

With unit tests for SessionStore in place even for the old-stable plugin version you should be able to verify, that is works as expected with acct_mgr.tests.db.HtDigestTestCase.

Side-note: On our ticket creation page you've been advised to prefer the mailing-list for local installation/configuration issues. Honestly, its a big red box in the top of the page. But still you stepped into the development tracking system, that is not meant for general user support. Just assuming software issues here is not a nice play. Would you be so kind as to take care a little more next time, please? Thanks.

comment:3 Changed 21 months ago by hasienda

  • Priority changed from normal to low

Despite of knowing about a possibly weak configuration, and without trying to get support from the mailing-list first, you suggested a software issue by creating a bug report here.

As you see, we do still care, but demand interaction and response from reporter's side in return.

comment:4 Changed 19 months ago by hasienda

  • Resolution set to invalid
  • Status changed from new to closed

If you're rather clue-less, please test recent development code from trunk branch, and make sure to go for acct_mgr-0.5 as soon as it has been released.

This should really help for getting a working Trac authentication configuration for both use cases, with AccountManager's login HTML form or HTTP authentication driven by the web-server and its password file optionally managed by AccountManager in turn. For additional hints see #8930.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.