Admin password algorithm during install

Post

Posted
Rating:
#3241 (In Topic #602)
Avatar
Standard member
Sumaleth is in the usergroup ‘Fan in training’
I'm working on the Composr installer used by Installatron (One-click web application auto-installer | Installatron) and I have it installing fine but I can't get it to set the admin's password correctly.

Essentially, I need to replicate the algorithm used by Composr itself and I thought this was it:

md5($salt.md5($password));

The salt I'm generating looks like: 59d0d80aab44d

When I try to log in after the install is complete it tells me that the password is wrong, and I confirmed that the value my little md5 code there returns doesn't match what Composr thinks is correct.


I've been reading through the passwd.php, password_rules, crypt.php, and cns_forum_driver_helper_auth.php files trying to follow the logic but it eludes me. I see there are different hashing options, but which one should I be using?

Any advice would be appreciated.

Thanks,
Rowan.
@Installatron.com
 
Online now: No Back to the top

Post

Posted
Rating:
#3242
Avatar
Site director
Chris Graham is in the usergroup ‘Administrators’
Hi,

That's a legacy password style, but your code does look correct to me.

Code

function ratchet_hash_verify($password, $salt, $pass_hash_salted, $legacy_style = 0)
{
    if ((function_exists('password_verify')) && (preg_match('#^\w+$#', $pass_hash_salted) == 0)) {
        return password_verify($salt . md5($password), $pass_hash_salted);
    }

    // Old-style md5'd password
    if ($legacy_style == PASSWORD_SALT) {
        return (md5($password . $salt) == $pass_hash_salted);
    }
    return (md5($salt . md5($password)) == $pass_hash_salted);
}

We moved to preferring to use PHP's new password API, but if it doesn't look like it is for that (the preg_match) or if it is not available, it rolls on to the legacy md5 code.

I don't believe $legacy_style==PASSWORD_SALT will hold true, so it should use md5($salt . md5($password).

Maybe you can provide a password/salt combo, the hash your code produces, and your code, and I can advise further.


Become a fan of Composr on Facebook or add me as a friend. Add me on on Twitter. Follow me on Minds (where I am most active). Support me on Patreon

Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about Composr whenever you see the opportunity or support me on Patreon.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying Composr on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Online now: No Back to the top

Post

Posted
Rating:
#3243
Guest user
Thanks for the reply.

The ratchet_hash_verify() function doesn't appear to be used when logging in as the administrator; I added a "echo "1"; exit();" to the top of the function and it's not triggered when I attempt to log in.
 

Here are some example values. I always use "admin" for the username and "adminadmin" for the password:

Code

md5($salt.md5($password):
m_pass_hash_salted=51d1dbd34af9ac537c318909ee6bfc88, m_pass_salt=59d1d44b38117
m_pass_hash_salted=7671fb34984a1e7c526e27e30453f814, m_pass_salt=59d0d80aab44d

md5($password.$salt):
m_pass_hash_salted=25808131a68cd7b0c440fcd3b0294732, m_pass_salt=59d1d52bbda61

Here's the SQL for the latter:
(2, 'admin', '25808131a68cd7b0c440fcd3b0294732', '59d1d52bbda61', '', 'themes/default/images/cns_default_avatars/default_set/cool_flare.png', 1, '', 0, 0, 1506923819, 'UTC', 2, 1501187954, 1501187954, '', 0, 0, NULL, NULL, NULL, 1, 'admin@da01.dev.installatron.com', '', '', '', 1, 1, '', '127.0.0.1', 1, 1, 0, '*', '', 5, '', 'plain', NULL, 0, 0, 1, '', 1, '', 1),


And here is the PHP code I'm using to build the database:

Code

$this->sr("install.sql", "#CHARACTER SET=utf8mb4#", "CHARACTER SET=utf8 COLLATE utf8_unicode_ci"); // @NOTE: because of "Specified key was too long; max key length is 1000 bytes" error
$this->sr("install.sql", "#cms\d*_#", "{$this->db_prefix}");
$this->db_import('install.sql');

$username      = $this->input['field_login'];
$password      = $this->input['field_passwd'];
$email         = $this->input['field_email'];
$time         = time();
$salt         = uniqid('');

$this->db_query("UPDATE {$this->db_prefix}f_members
            SET m_username='" . mysql_escape_string($username) .
            "', m_pass_hash_salted='" . md5($salt.md5($password)) .
//            "', m_pass_hash_salted='" . md5($password.$salt) .
            "', m_pass_salt='" . mysql_escape_string($salt) .
            "', m_email_address='" . mysql_escape_string($email) .
            "', m_join_time=" . $time .
            " WHERE id=2");
I had actually forgotten about the CHARACTER-SET change that I had to make to get it installing on our server. I don't _think_ that would cause a problem, given that the hash and salt are all from the [a-z][A-Z][0-9]_ set but maybe I'm missing something there?

Thanks,
Rowan.
 
Back to the top

Post

Posted
Rating:
#3244
Avatar
Site director
Chris Graham is in the usergroup ‘Administrators’
Hi,

I believe the issue is you need to also set m_password_compat_scheme=''.

We have it set to plain in install.sql, which is not appropriate once a real password is set.

Thank you for fixing the installer for us  :cool: .


Become a fan of Composr on Facebook or add me as a friend. Add me on on Twitter. Follow me on Minds (where I am most active). Support me on Patreon

Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about Composr whenever you see the opportunity or support me on Patreon.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying Composr on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Online now: No Back to the top

Post

Posted
Rating:
#3246
Guest user
Chris,

That worked! I added that little fix to our installer and now it's working. Yay!

Thanks,
Rowan.
Back to the top
1 guest and 0 members have just viewed this.

Statistics

Users online:

mytracker, Manu, amit.nigam, ManojSree

Forum statistics:
  • 1,298 topics, 5,830 posts, 7,064 members
  • Our newest member is flour2door
Birthdays:
Back to Top