Admin password algorithm during install
Standard member
Essentially, I need to replicate the algorithm used by Composr itself and I thought this was it:
md5($salt.md5($password));
The salt I'm generating looks like: 59d0d80aab44d
When I try to log in after the install is complete it tells me that the password is wrong, and I confirmed that the value my little md5 code there returns doesn't match what Composr thinks is correct.
–
I've been reading through the passwd.php, password_rules, crypt.php, and cns_forum_driver_helper_auth.php files trying to follow the logic but it eludes me. I see there are different hashing options, but which one should I be using?
Any advice would be appreciated.
Thanks,
Rowan.
@Installatron.com
Site director
That's a legacy password style, but your code does look correct to me.
Code
function ratchet_hash_verify($password, $salt, $pass_hash_salted, $legacy_style = 0)
{
if ((function_exists('password_verify')) && (preg_match('#^\w+$#', $pass_hash_salted) == 0)) {
return password_verify($salt . md5($password), $pass_hash_salted);
}
// Old-style md5'd password
if ($legacy_style == PASSWORD_SALT) {
return (md5($password . $salt) == $pass_hash_salted);
}
return (md5($salt . md5($password)) == $pass_hash_salted);
}
We moved to preferring to use PHP's new password API, but if it doesn't look like it is for that (the preg_match) or if it is not available, it rolls on to the legacy md5 code.
I don't believe $legacy_style==PASSWORD_SALT will hold true, so it should use md5($salt . md5($password).
Maybe you can provide a password/salt combo, the hash your code produces, and your code, and I can advise further.
Become a fan of Composr on Facebook or add me as a friend. Add me on on Mastodon. Follow me on Minds (where I am most active). Support me on Patreon
- If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
- If so, please let others know about Composr whenever you see the opportunity or support me on Patreon.
- If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying Composr on fun personal projects.
- If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Guest user
The ratchet_hash_verify() function doesn't appear to be used when logging in as the administrator; I added a "echo "1"; exit();" to the top of the function and it's not triggered when I attempt to log in.
Here are some example values. I always use "admin" for the username and "adminadmin" for the password:
Code
md5($salt.md5($password):
m_pass_hash_salted=51d1dbd34af9ac537c318909ee6bfc88, m_pass_salt=59d1d44b38117
m_pass_hash_salted=7671fb34984a1e7c526e27e30453f814, m_pass_salt=59d0d80aab44d
md5($password.$salt):
m_pass_hash_salted=25808131a68cd7b0c440fcd3b0294732, m_pass_salt=59d1d52bbda61
Here's the SQL for the latter:
(2, 'admin', '25808131a68cd7b0c440fcd3b0294732', '59d1d52bbda61', '', 'themes/default/images/cns_default_avatars/default_set/cool_flare.png', 1, '', 0, 0, 1506923819, 'UTC', 2, 1501187954, 1501187954, '', 0, 0, NULL, NULL, NULL, 1, 'admin@da01.dev.installatron.com', '', '', '', 1, 1, '', '127.0.0.1', 1, 1, 0, '*', '', 5, '', 'plain', NULL, 0, 0, 1, '', 1, '', 1),
And here is the PHP code I'm using to build the database:
Code
$this->sr("install.sql", "#CHARACTER SET=utf8mb4#", "CHARACTER SET=utf8 COLLATE utf8_unicode_ci"); // @NOTE: because of "Specified key was too long; max key length is 1000 bytes" error
$this->sr("install.sql", "#cms\d*_#", "{$this->db_prefix}");
$this->db_import('install.sql');
$username = $this->input['field_login'];
$password = $this->input['field_passwd'];
$email = $this->input['field_email'];
$time = time();
$salt = uniqid('');
$this->db_query("UPDATE {$this->db_prefix}f_members
SET m_username='" . mysql_escape_string($username) .
"', m_pass_hash_salted='" . md5($salt.md5($password)) .
// "', m_pass_hash_salted='" . md5($password.$salt) .
"', m_pass_salt='" . mysql_escape_string($salt) .
"', m_email_address='" . mysql_escape_string($email) .
"', m_join_time=" . $time .
" WHERE id=2");
Thanks,
Rowan.
Site director
I believe the issue is you need to also set m_password_compat_scheme=''.
We have it set to plain in install.sql, which is not appropriate once a real password is set.
Thank you for fixing the installer for us
.
Become a fan of Composr on Facebook or add me as a friend. Add me on on Mastodon. Follow me on Minds (where I am most active). Support me on Patreon
- If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
- If so, please let others know about Composr whenever you see the opportunity or support me on Patreon.
- If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying Composr on fun personal projects.
- If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Guest user
That worked! I added that little fix to our installer and now it's working. Yay!
Thanks,
Rowan.
1 guest and 0 members have just viewed this.
