Modify

Opened 10 years ago

Closed 6 years ago

#1283 closed enhancement (wontfix)

Support for crypt passwords

Reported by: Sergio Talens-Oliag Owned by: Brad Anderson
Priority: normal Component: DbAuthPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.10

Description

It would be nice to support more than one password_hash on this plugin, as the default one used on the 0.10 version of the plugin can't be used to validate users with apache 2.2 and mod_authn_dbd.

As I needed the functionality I've added support for crypt passwords; I know that crypt is not the best option, but at least I can move passwords between different authentication systems without users noticing it, that is, I can use them on the htpasswd file, on an LDAP server or on the /etc/shadow files of a UNIX machine.

My patch adds the password_hash keyword to the dbauth section and checks if the value is crypt when generating new passwords (if it is not, it uses the previous SHA-1 hash). When checking passwords the patch tries the three authentication methods (cleartext, SHA-1 and crypt), basically to keep the system backwards compatible.

I've looked at the simple branch, but as I'm using the 0.10 version and have not tested the simple version I have not patched that code, but it should be easy to do.

On a quick review I've seen that on the new version only one hash method is used when verifying passwords and that the keyword used to choose the hash method is algorithm, but the code to support crypt is easy to add, if you are interested I can send you a patch for the simple version also.

Attachments (1)

crypt-support.patch (2.1 KB) - added by Sergio Talens-Oliag 10 years ago.
Reviewed crypt support patch

Download all attachments as: .zip

Change History (3)

Changed 10 years ago by Sergio Talens-Oliag

Attachment: crypt-support.patch added

Reviewed crypt support patch

comment:1 Changed 10 years ago by anonymous

Yesterday I tried to add a note about the updated patch, but the disks were full and I could not do it, so I do it today.


I've uploaded an updated version of the patch, now the CRYPT password is stored on the Database using the prefix CRYPT:, that way the user can't use the hashed password as a cleartext one.

To use the password with mod_authn_dbd the AuthDBDUserPWQuery has to remove the prefix, but that is easy to do in SQL.

For PostgreSQL the query can be something like:

AuthDBDUserPWQuery "SELECT substr(password,7) FROM trac_users WHERE username = %s"

For SQLite I believe that the substring length is also needed:

AuthDBDUserPWQuery "SELECT substr(password,7,length(password)) FROM trac_users WHERE username = %s"

comment:2 Changed 6 years ago by Ryan J Ollos

Resolution: wontfix
Status: newclosed

Closing tickets for a deprecated plugin.

Modify Ticket

Action
as closed The owner will remain Brad Anderson.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.