View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0007864mantisbtauthenticationpublic2007-03-29 09:472011-08-05 02:45
Reporterdlmueller Assigned Todregad  
PrioritynormalSeverityfeatureReproducibilityN/A
Status closedResolutionfixed 
Summary0007864: Native support for SHA1 authentification within Mantis
Description

Since several years we use the python based Wiki-Clone "MoinMoin" (http://moinmoin.wikiwikiweb.de) as the central knowledge management system. We have about 50 user account. To ease user help desk ("I forgot my password") we allow the users to reset their password like Mantis does. The passwords are stored encrypted. The same usernames and passwords are also used within our HTTP-Authentification within the Apache Webserver.

For all users we've choosen the same username within MoinMoin and within Mantis. Since both systems have their own user management changing the password within one system does not affect the password in the other system. Therefore we'd like to sync the encrypted passwords between both systems.

Since the passwords within MoinMoin and Apache .htaccess are SHA1 encrypted it we cannot use them directly within Mantis. Therefore it would be nice, Mantis would also support SHA1 authentification.

TagsNo tags attached.
Attached Files
SHA1-auth-1.0.6.tar.gz (29,882 bytes)
SHA1-auth-1.1.0a2.tar.gz (31,894 bytes)

Relationships

Relationship GraphDependency Graph
duplicate of 0011250 closeddregad Allow SHA1 passwords 

Activities

dlmueller

dlmueller

2007-04-05 04:05

reporter   ~0014316

I'd like to generate an encoded password that is compatible to the output of the program ''htpasswd''.

See the following example:
The command "htpasswd -nbs UserName mypassword" yields in the output "UserName:{SHA}kd/Z3bQZiv/FwZTNjObTOP3kcOI=".

Within PHP one can reproduce this output by using
echo {SHA}.base64_encode( sha1("mypassword", true) );
which yields
{SHA}kd/Z3bQZiv/FwZTNjObTOP3kcOI=

To ensure complete compability one must prepend the prefix "{SHA}" before the output of the base64 encoded SHA1 hashed password.

I will implement this authentification method and provide a patch.

The following function will be used:
string base64_encode ( string data ) ''available in since (PHP 4, PHP 5)''
string sha1 ( string str [, bool raw_output] ) ''available in (PHP 4 >= 4.3.0, PHP 5)''
dlmueller

dlmueller

2007-04-05 05:41

reporter   ~0014317

With the leading prefix "{SHA}" the SHA1 encrypted passwords need 34 bytes and thus exceed the current size of the field "username" which is defined as "VARCHAR(32)".

To be compliant to the output of "htpasswd" I would prefer an according change of the DB-scheme i.e. change the field "password" in "mantis_user_table" from currently "varchar(32)" to say "varchar(40)" or "varchar(64)".

Until then:
Since the DB-scheme should only be changed in a major release (say for instance 1.1) my patch does currently omits the leading prefix "{SHA}" and thus safe 5 bytes yielding in only 29 bytes for the password. This behaviour can be configured using the boolean ON/OFF flag "$g_login_method_sha1_prefix" in the config file "config_defaults_inc.php".
ega

ega

2007-04-23 03:41

reporter   ~0014385

sha1("mypassword", true) is not correct for php4

I've copying the phpldapadmin function, and that now work well with php4 in core/authentication_api.php :

// $t_processed_password .= base64_encode( sha1( $p_password, TRUE ) ); # @@@ added by dlmueller, see issue 0007864 for details ^M
if( function_exists('sha1') ) {
// use php 4.3.0+ sha1 function, if it is available.
$t_processed_password = '{SHA}' . base64_encode( pack( 'H*' , sha1( $p_password) ) );

                    } elseif( function_exists( 'mhash' ) ) {
                            $t_processed_password = '{SHA}' . base64_encode( mhash( MHASH_SHA1, $p_password) );

                    } else {
                            pla_error( _('Your PHP install does not have the mhash() function. Cannot do SHA hashes.') );
                    }

Thanks for your works.