Ticket #10689 (closed defect: invalid)

Opened 5 months ago

Last modified 3 months ago

Realm not being used for password hash?

Reported by: james Assigned to: hasienda
Priority: low Component: AccountManagerPlugin
Severity: normal Keywords: needinfo SessionStore
Cc: rjollos Trac Release: 0.11

Description (Last modified by hasienda)

As a test I set the password of my user (james) through the account settings on trac to 'helloworld'. In the database this set the password to ':f4a19cee25aae3fe30d7a319fb7c5144'

I can reproduce this hash like so: 

echo -n james::helloworld | md5
f4a19cee25aae3fe30d7a319fb7c5144

However I thought trac would use the realm set in trac.ini to essentially do this: 

echo -n james:TracDB:helloworld | md5
8c41eb73b4e4d22f173b2a302d52dfdd

I'm obviously missing something, can anyone see what is it? Here are my account manager settings: 

[account-manager]
account_changes_notify_addresses =
hash_method = HtDigestHashMethod
db_htdigest_realm = TracDB
password_store = SessionStore
login_attempt_max_count = 3
user_lock_time = 30
user_lock_time_progression = 1

[components]
acct_mgr.guard.accountguard = enabled
acct_mgr.admin.accountmanageradminpages = enabled
acct_mgr.api.accountmanager = enabled
acct_mgr.db.sessionstore = enabled
acct_mgr.htfile.htdigeststore = enabled
acct_mgr.notification.accountchangelistener = enabled
acct_mgr.notification.accountchangenotificationadminpage = enabled
acct_mgr.pwhash.htdigesthashmethod = enabled
acct_mgr.web_ui.accountmodule = enabled
acct_mgr.web_ui.emailverificationmodule = enabled
acct_mgr.web_ui.loginmodule = enabled
acct_mgr.web_ui.registrationmodule = disabled
acct_mgr.web_ui.resetpwstore = disabled
trac.web.auth.loginmodule = disabled
tracopt.versioncontrol.git.* = enabled

Attachments

Change History

12/09/12 03:38:20 changed by hasienda

  • keywords set to SessionStore.
  • description changed.

reformatting for readability

12/09/12 04:00:08 changed by hasienda

  • cc set to rjollos.
  • keywords changed from SessionStore to needinfo SessionStore.
  • release changed from 1.0 to 0.11.

What AcctMgr version are you testing?

Your configuration looks like a mix of

  • acct_mgr-0.3 (acct_mgr.web_ui.emailverificationmodule) and
  • acct_mgr-0.4 (db_htdigest_realm).

And from your example hash entry :f4a19cee25aae3fe30d7a319fb7c5144 you can see, that the db_htdigest_realm option is ineffective in your particular setup. So most probably you're running acct_mgr-0.3.x with some options meant for the current plugin version 0.4, and should clean-up and upgrade before going on.

With unit tests for SessionStore in place even for the old-stable plugin version you should be able to verify, that is works as expected with acct_mgr.tests.db.HtDigestTestCase.

Side-note: On our ticket creation page you've been advised to prefer the mailing-list for local installation/configuration issues. Honestly, its a big red box in the top of the page. But still you stepped into the development tracking system, that is not meant for general user support. Just assuming software issues here is not a nice play. Would you be so kind as to take care a little more next time, please? Thanks.

12/13/12 02:39:29 changed by hasienda

  • priority changed from normal to low.

Despite of knowing about a possibly weak configuration, and without trying to get support from the mailing-list first, you suggested a software issue by creating a bug report here.

As you see, we do still care, but demand interaction and response from reporter's side in return.

02/25/13 01:13:35 changed by hasienda

  • status changed from new to closed.
  • resolution set to invalid.

If you're rather clue-less, please test recent development code from trunk branch, and make sure to go for acct_mgr-0.5 as soon as it has been released.

This should really help for getting a working Trac authentication configuration for both use cases, with AccountManager's login HTML form or HTTP authentication driven by the web-server and its password file optionally managed by AccountManager in turn. For additional hints see #8930.

Add/Change #10689 (Realm not being used for password hash?)




Change Properties
Action