Bug #82588 for RT-Authen-ExternalAuth: Per-hash salt support in DBI backend

Wed Jan 09 12:52:15 2013 viktor.larionov [...] salva.ee - Ticket created

Subject:	RT-Authen-ExternalAuth modification
Date:	Wed, 9 Jan 2013 19:05:46 +0200
To:	<tsibley [...] cpan.org>
From:	Viktor Larionov <Viktor.Larionov [...] salva.ee>

Hi Thomas! First of all thanks a million for a great job you've done with RT::Authen::ExternalAuth. Great stuff. We use it to allow certain groups of our users to our internal RT instance. Here http://requesttracker.wikia.com/wiki/ExternalAuth#RT::Authen::ExternalAuth you have mentioned, you'd like to hear about updates to your code done by end-users, so I thought our minor change could be of use also. The case with us, is that passwords on our database are encrypted using Crypt::PasswdMD5 with salt residing inside the hash. (the good old unix way, you know) RT::Authen::ExternalAuth by default can deal only with a static salt, as far as I understood, so we did a quick and dirty update to your original code in order to fix that. An update looks like this (sorry for not making a nice and shiny diff): File: T-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/DBI.pm, line 80: if($pass_from_db =~ /\A\$[0-9]\$([^\$]+)\$.+\Z/) { $RT::Logger->info($service, "Supplied password hash contains a salt, extracting and using it instead of static."); $db_p_salt = $1; } Works like a charm. Cheers! Viktor "vik" Larionov head of IT ops, Salva Insurance plc., Tallinn, Estonia Viktor Larionov IT osakonna juhataja IT-osakond Salva Kindlustuse AS Tel: (+372) 683 0630 | GSM: (+372) 566 86811 | Viktor.Larionov@salva.ee | www.salva.ee (SMX)338844

Download B2R1UBNvEiyqWSx.gif
image/gif 3.4k

Wed Jan 09 12:55:10 2013 tsibley [...] cpan.org - Subject changed from 'RT-Authen-ExternalAuth modification' to 'Individual salt support'

Wed Jan 09 12:55:20 2013 tsibley [...] cpan.org - Subject changed from 'Individual salt support' to 'Per-hash salt support in DBI backend'

Wed Jan 09 12:55:41 2013 tsibley [...] cpan.org - Severity Wishlist added

Thu Jan 10 08:10:18 2013 ruz [...] bestpractical.com - Correspondence added

Subject:	Re: [rt.cpan.org #82588] RT-Authen-ExternalAuth modification
Date:	Thu, 10 Jan 2013 17:10:07 +0400
To:	bug-RT-Authen-ExternalAuth [...] rt.cpan.org
From:	Ruslan Zakirov <ruz [...] bestpractical.com>

Hi, I see what you've done it's not bad. Can you take a look at dbi-password-check-callback code branch? It allows you do the same with a callback without bringing in every possible hashing into the module. -- Best regards, Ruslan.

Thu Jan 10 08:10:19 2013 The RT System itself - Status changed from 'new' to 'open'

Thu Jan 10 08:23:53 2013 viktor.larionov [...] salva.ee - Correspondence added

Subject:	RE: [rt.cpan.org #82588] RT-Authen-ExternalAuth modification
Date:	Thu, 10 Jan 2013 15:23:39 +0200
To:	<bug-RT-Authen-ExternalAuth [...] rt.cpan.org>
From:	Viktor Larionov <Viktor.Larionov [...] salva.ee>

Hi Ruslan! As a quick look I have a feeling that dbi-password-check-callback patch could be just the right thing, to make this change more elegant. I'll give it a try in the nearcoming days and give you feedback. Thanks! Cheers, vik Viktor Larionov IT osakonna juhataja IT-osakond Salva Kindlustuse AS Tel: (+372) 683 0630 | GSM: (+372) 566 86811 | Viktor.Larionov@salva.ee | www.salva.ee (SMX)338844 Show quoted text

-----Original Message----- From: Ruslan Zakirov via RT [mailto:bug-RT-Authen-ExternalAuth@rt.cpan.org] Sent: Thursday, January 10, 2013 3:10 PM To: viktor.larionov@salva.ee Subject: Re: [rt.cpan.org #82588] RT-Authen-ExternalAuth modification <URL: https://rt.cpan.org/Ticket/Display.html?id=82588 > Hi, I see what you've done it's not bad. Can you take a look at dbi-password-check-callback code branch? It allows you do the same with a callback without bringing in every possible hashing into the module. -- Best regards, Ruslan.

Download pHe8OxVhCBV4JC6.gif
image/gif 3.4k

Thu Jan 10 12:23:28 2013 viktor.larionov [...] salva.ee - Correspondence added

Subject:	Re: [rt.cpan.org #82588] RT-Authen-ExternalAuth modification
Date:	Thu, 10 Jan 2013 19:23:14 +0200
To:	<bug-RT-Authen-ExternalAuth [...] rt.cpan.org>
From:	Viktor Larionov <Viktor.Larionov [...] salva.ee>

Hi Ruslan! Tried dbi-password-check-callback and it;s exactly what I needed. And simple as 1,2,3. Just for mentioning what I did: 1. Applied the patch. 2. Added theese lines to RT_SiteConfig.pm: Set($ExternalPasswordCheckCallback, sub { require Crypt::PasswdMD5; my $salt = undef; if($_[0] =~ /A$[0-9]$([^$]+)$.+Z/) { $RT::Logger->debug("ExternalPasswordCheckCallback", "Supplied password hash contains a salt, extracting and using it."); $salt = $1; $RT::Logger->debug("ExternalPasswordCheckCallback", "Using salt: $salt"); } return((Crypt::PasswdMD5::unix_md5_crypt($_[1], $salt) eq $_[0])); } ); 3. Added a field p_check, with value of $RT::ExternalPasswordCheckCallback to external service definitions. And that was it. Thanks for a valuable hint! I'll stick to this solution. Cheers, Viktor Viktor Larionov IT osakonna juhataja IT-osakond Salva Kindlustuse AS Tel: (+372) 683 0630 | GSM: (+372) 566 86811 | Viktor.Larionov@salva.ee | www.salva.ee (SMX)338844 10.01.2013 15:10 kirjutas Ruslan Zakirov via RT: Show quoted text

> <URL: https://rt.cpan.org/Ticket/Display.html?id=82588 [1] > >

Show quoted text

> Hi, > > I see what you've done it's not bad. Can you take a look

at Show quoted text

> dbi-password-check-callback code branch? It allows you do the

same Show quoted text

> with a callback without bringing in every possible hashing into

the Show quoted text

> module.

Links: ------ [1] https://rt.cpan.org/Ticket/Display.html?id=82588

Download I4B3LxfL9hRNQnU.gif
image/gif 3.4k

Tue Feb 26 02:12:28 2013 RINGERC [...] cpan.org - Correspondence added

While touching this code it's also worth considering that many systems will store the password salt in a separate field, eg 'salt' and 'passwordHash' columns in a 'user' table.

Tue Feb 26 02:12:41 2013 RINGERC [...] cpan.org - Cc RINGERC added