Open
Bug 538740
Opened 15 years ago
Updated 11 years ago
Can't use encrypted passwords out of bugzilla because encryption type is appended
Categories
(Bugzilla :: User Accounts, defect)
Bugzilla
User Accounts
Tracking
()
NEW
People
(Reporter: denon_6, Unassigned)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100105 Firefox/3.6 (.NET CLR 3.5.30729)
Build Identifier: Bugzilla 3.4.4
Bugzilla 3.4.4 uses Perl Digest to handle SHA-256 encryption.
Passwords seem to be correctly encrypted, but when looking at profiles.cryptpassword string, I see {SHA-256} has been appended at the end.
Same goes with MD5, SHA-1 (tested by changing Bugzilla/Constants.pm/PASSWORD_DIGEST_ALGORITHM)
Problem is that if some external tool uses Bugzilla cryptpassword for authentication (my apache server uses it with mod_auth_mysql), password will not match.
One workaround I found is to keep the old crypt encryption method by setting PASSWORD_DIGEST_ALGORITHM to '' (empty string).
Note that my mod_auth_mysql doesn't handle SHA-256 anyway (see https://bugzilla.redhat.com/show_bug.cgi?id=553758)
This also requires an additional change in Bugzilla/Auth/Verify/DB.pm
Index: DB.pm
===================================================================
RCS file: /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Auth/Verify/DB.pm,v
retrieving revision 1.10
diff -r1.10 DB.pm
71c71
< if ($real_password_crypted !~ /{\Q$current_algorithm\E}$/) {
---
> if ($current_algorithm and $real_password_crypted !~ /{\Q$current_algorithm\E}$/) {
In my opinion, cryptpassword field shouldn't get encryption type appended, but a new field crypttype should be created instead, leaving only the encrypted password in cryptpassword
Reproducible: Always
Steps to Reproduce:
1. Use Bugzilla 3.4.4 (default SHA-256, changed to SHA-1 and MD5) cryptpassword field with external tool (e.g.: mod_auth_mysql)
2. Try to authenticate a user
Actual Results:
Get password mismatch, authentication failed
Expected Results:
Authentication successful
|
||
Comment 1•15 years ago
|
||
Dupe of bug 392482, IMO. As you say, you cannot use mod_auth_mysql anyway, as it doesn't handle SHA-256.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
|
||
Comment 2•15 years ago
|
||
Mmm, no, I wouldn't say that they're duplicates. Having a separate crypt_type column might be reasonable, for people who want to change the encryption type and then use some sort of external auth.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
|
|
||
Updated•15 years ago
|
Severity: normal → minor
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Linux → All
Hardware: x86_64 → All
|
|
||
Comment 3•15 years ago
|
||
Note that the external tool could easily append the algorithm string to the end of the encrypted password.
You need to log in
before you can comment on or make changes to this bug.
Description
•