0007864: Native support for SHA1 authentification within Mantis - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update
0007864	mantisbt	authentication	public	2007-03-29 09:47	2011-08-05 02:45

Reporter	dlmueller	Assigned To	dregad
Priority	normal	Severity	feature	Reproducibility	N/A
Status	closed	Resolution	fixed

Summary	0007864: Native support for SHA1 authentification within Mantis
Description	Since several years we use the python based Wiki-Clone "MoinMoin" (http://moinmoin.wikiwikiweb.de) as the central knowledge management system. We have about 50 user account. To ease user help desk ("I forgot my password") we allow the users to reset their password like Mantis does. The passwords are stored encrypted. The same usernames and passwords are also used within our HTTP-Authentification within the Apache Webserver. For all users we've choosen the same username within MoinMoin and within Mantis. Since both systems have their own user management changing the password within one system does not affect the password in the other system. Therefore we'd like to sync the encrypted passwords between both systems. Since the passwords within MoinMoin and Apache .htaccess are SHA1 encrypted it we cannot use them directly within Mantis. Therefore it would be nice, Mantis would also support SHA1 authentification.
Tags	No tags attached.
Attached Files	SHA1-auth-1.0.6.tar.gz (29,882 bytes) SHA1-auth-1.1.0a2.tar.gz (31,894 bytes)

dlmueller 2007-04-05 04:05 reporter ~0014316	I'd like to generate an encoded password that is compatible to the output of the program ''htpasswd''. See the following example: The command "htpasswd -nbs UserName mypassword" yields in the output "UserName:{SHA}kd/Z3bQZiv/FwZTNjObTOP3kcOI=". Within PHP one can reproduce this output by using echo {SHA}.base64_encode( sha1("mypassword", true) ); which yields {SHA}kd/Z3bQZiv/FwZTNjObTOP3kcOI= To ensure complete compability one must prepend the prefix "{SHA}" before the output of the base64 encoded SHA1 hashed password. I will implement this authentification method and provide a patch. The following function will be used: string base64_encode ( string data ) ''available in since (PHP 4, PHP 5)'' string sha1 ( string str [, bool raw_output] ) ''available in (PHP 4 >= 4.3.0, PHP 5)''

dlmueller 2007-04-05 05:41 reporter ~0014317	With the leading prefix "{SHA}" the SHA1 encrypted passwords need 34 bytes and thus exceed the current size of the field "username" which is defined as "VARCHAR(32)". To be compliant to the output of "htpasswd" I would prefer an according change of the DB-scheme i.e. change the field "password" in "mantis_user_table" from currently "varchar(32)" to say "varchar(40)" or "varchar(64)". Until then: Since the DB-scheme should only be changed in a major release (say for instance 1.1) my patch does currently omits the leading prefix "{SHA}" and thus safe 5 bytes yielding in only 29 bytes for the password. This behaviour can be configured using the boolean ON/OFF flag "$g_login_method_sha1_prefix" in the config file "config_defaults_inc.php".

ega 2007-04-23 03:41 reporter ~0014385	sha1("mypassword", true) is not correct for php4 I've copying the phpldapadmin function, and that now work well with php4 in core/authentication_api.php : // $t_processed_password .= base64_encode( sha1( $p_password, TRUE ) ); # @@@ added by dlmueller, see issue 0007864 for details ^M if( function_exists('sha1') ) { // use php 4.3.0+ sha1 function, if it is available. $t_processed_password = '{SHA}' . base64_encode( pack( 'H*' , sha1( $p_password) ) ); `} elseif( function_exists( 'mhash' ) ) { $t_processed_password = '{SHA}' . base64_encode( mhash( MHASH_SHA1, $p_password) ); } else { pla_error( _('Your PHP install does not have the mhash() function. Cannot do SHA hashes.') ); }` Thanks for your works.