How to deal with "salt" using authMSQL?

Added by Darren Adams over 8 years ago

After upgrading from redmine 1.1.1 to 1.2.0, the apache mod_auth_mysql method, posted here:

http://ailoo.net/2009/03/authenticate-apache-against-redmine-with-authmysql/

...stopped working.

I'm pretty sure this is due to the added "salt" on the passwd field. I'm just not sure how to deal with it. mod_auth_mysql has a AuthMySQLSaltField option, but it is only for the "aes" and "crypt" encryption methods. Any advice on how to change the DB view to accommodate the salt?

Here is the SQL from the link above for creating a simple view(that worked with 1.1.1) to use with mod_auth_mysql:

CREATE VIEW users_auth_external AS
SELECT u.login AS username,
       u.hashed_password AS passwd,
       GROUP_CONCAT(p.identifier) AS groups
FROM `members` m
INNER JOIN users u ON m.user_id = u.id
INNER JOIN projects p ON m.project_id = p.id
WHERE u.status = 1
GROUP BY username

and the corresponding apache config:

<Location /redmine-auth>
       AuthType Basic
       AuthName "Redmine SVN Repository" 
       AuthBasicAuthoritative Off
       AuthUserFile /dev/null
       AuthMySQLEnable On
       AuthMySQLAuthoritative      on
       AuthMySQLHost               localhost
       AuthMySQLDB                 redmine
       AuthMySQLUser               redmine
       AuthMySQLPassword           pass
       AuthMySQLUserTable          users_auth_external
       AuthMySQLNameField          username
       AuthMySQLPasswordField      passwd
       AuthMySQLGroupField         groups
       AuthMySQLPwEncryption       sha1
       Require group               dns
</Location>

Replies (12)

RE: How to deal with "salt" using authMSQL? - Added by Daniel Varga over 8 years ago

Hello Darren...

If adding a salt to the view would solve the problem the SQL to create the view is this:

CREATE VIEW users_auth_external AS
SELECT u.login AS username,
       u.hashed_password AS passwd,
       u.salt AS salt,
       GROUP_CONCAT(p.identifier) AS groups
FROM `members` m
INNER JOIN users u ON m.user_id = u.id
INNER JOIN projects p ON m.project_id = p.id
WHERE u.status = 1
GROUP BY username

BUT, defining the Salt column will not solve your problem. The algorithm to store the passwords in Ridmine is this:

SHA1( cleatextpasswd + SHA1(salt) )

Where the + sign means concat...

The reason why it won't solve your problem is because mod_auth_mysql builds the SQL query like this if salt is defined in the config file:

SNPRINTF(query,sizeof(query)-1,"SELECT %s, length(%s), %s FROM %s WHERE %s='%s' AND %s",
        m->mysqlPasswordField, m->mysqlPasswordField, salt_column, m->mysqlpwtable,
        m->mysqlNameField, sql_safe_user, str_format(r, m->mysqlUserCondition));

So the Query would be:
SELECT `passwdfield`, length(`passwdfield`), `saltfield` FROM `authtable` WHERE `usernamefield` = 'username' AND ....

Once the password has been retrieved, which is stored in the DB by redmine with the algorithm I mentioned above, it is compared to the password you have entered with the following function in the source file: pw_sha1()

Reading the code I noticed that it doesn't use the same algorithm as redmine to actually create the salted passwords thus even if you define the salt column, you wouldn't be able to authenticate against redmine's UserDB.

This is the 2nd such thing that doesn't work with redmine's password storing algorithm...

Regards

RE: How to deal with "salt" using authMSQL? - Added by Daniel Varga over 8 years ago

My answer is typical to 1.2.x versions where salt was introduced however not for 1.1.x

RE: How to deal with "salt" using authMSQL? - Added by Darren Adams over 8 years ago

Thanks for the reply. I can confirm that simply adding the salt column and configuring authMYSQL to use it, doesn't work. If I understand correctly then, the field "hashed_password" in the redmine users table is the above concatenation:

SHA1( cleatextpasswd + SHA1(salt) )

So, the problem is that authMYSQL only hashes (via sha1) the entered password and the checks that against what is in the DB view's "passwd" column. The only way that will ever work is if somehow that column is "unsalted". And secondly, the authMYSQL method of applying salt doesn't mesh with that of Redmine to create the same hash as is stored in the users.hashed_password DB column.

Interesting.

Ok, so for the authMYSQL to work, it sounds like I have 2 options:

1) Patch mod_auth_mysql to apply salt in the same manner as redmine.

2) Patch redmine to store "unsalted" hashed passwords alongside the currently salted ones.

The downsides of option #2 is that it would obviously undermine the salt, and would also require either access to cleartext passwords (to re-hash them), or for everyone to re-generate their passwords once the patch is in place.

I'm trying to track down password comparison functions you mentioned above. Could you post more specific coordinates for that code?

Peace.

RE: How to deal with "salt" using authMSQL? - Added by Jevgen Gyrynovych over 8 years ago

No, Redmine uses another algorithm: SHA1) http://www.redmine.org/issues/7410
We patched mod_auth_mysql for work with Redmine.
You can download ready Debian package(I built it for Ubuntu 10.04) or diff-file and build it independently.

RE: How to deal with "salt" using authMSQL? - Added by richard rigby about 8 years ago

patch attached for mod_auth_mysql-3.0.0, which is the version distributed with rhel 5, and derivatives (centos, etc.).
this allows the AuthMySQLPwEncryption config option to be set to:

sha1-rm

and using the AuthMySQLSaltField (set this to: salt), should be able to authenticate against the hashed_password field in the redmine users table.

my knowledge of coding in c is pretty basic, so there are probably lots of better ways of doing this, but this seems to work correctly, and thought it may be of use to someone else.

thanks,

richard. x

RE: How to deal with "salt" using authMSQL? - Added by Kosuke Fudy about 6 years ago

this patch doesn't work on ubutntu LTS 12.04.
I downloaded the patch file and patch to mod_auth_mysql-3.0.0, compile and installed.
Then modified dav_svn.conf as following:

AuthBasicAuthoritative Off
AuthUserFile /dev/null
AuthMYSQLEnable On
AuthMySQLAuthoritative On
AuthMySQLHost localhost
AuthMySQLUser redmine
AuthMySQLPassword redmine
AuthMySQLDB redmine
AuthMySQLUserTable svn_user
AuthMySQLNameField user_name
AuthMySQLPasswordField user_passwd
AuthMySQLGroupTable svn_group
AuthMySQLGroupField user_group
AuthMySQLPwEncryption sha1-rm
AuthMySQLSaltField salt
but nothing changed.

richard rigby wrote:

patch attached for mod_auth_mysql-3.0.0, which is the version distributed with rhel 5, and derivatives (centos, etc.).
this allows the AuthMySQLPwEncryption config option to be set to:

sha1-rm

and using the AuthMySQLSaltField (set this to: salt), should be able to authenticate against the hashed_password field in the redmine users table.

my knowledge of coding in c is pretty basic, so there are probably lots of better ways of doing this, but this seems to work correctly, and thought it may be of use to someone else.

thanks,

richard. x

RE: How to deal with "salt" using authMSQL? - Added by Kosuke Fudy about 6 years ago

this deb can't be installed on Ubuntu LTS 12.04, and the patch file provided can't be patched to
mod_auth_mysql-3.0.0

Jevgen Gyrynovych wrote:

No, Redmine uses another algorithm: SHA1) http://www.redmine.org/issues/7410
We patched mod_auth_mysql for work with Redmine.
You can download ready Debian package(I built it for Ubuntu 10.04) or diff-file and build it independently.

RE: How to deal with "salt" using authMSQL? - Added by Lai Yonghao about 6 years ago

Kosuke Fudy wrote:

this deb can't be installed on Ubuntu LTS 12.04, and the patch file provided can't be patched to
mod_auth_mysql-3.0.0

Jevgen Gyrynovych wrote:

No, Redmine uses another algorithm: SHA1) http://www.redmine.org/issues/7410
We patched mod_auth_mysql for work with Redmine.
You can download ready Debian package(I built it for Ubuntu 10.04) or diff-file and build it independently.

It's time to kick mod_auth_mysql off, use redmine-auth insteaded.

see https://github.com/laiyonghao/redmine-auth

RE: How to deal with "salt" using authMSQL? - Added by Yusuke Masuda almost 6 years ago

I tried to use "redmine-auth" but it doesn't work well. (Segmentation fault has occurred)

Finally I used "mod_auth_mysql" with a patch "mod_auth_mysql-3.0.0-redmine.patch" was contributed by richard rigby.
However, Build with the patch was failed. Because a variable 'enc_len01' wasn't be used after it's initialized.
I checked the source code and fixed it.

I attach a patch fixed. I hope it will be your help.

RE: How to deal with "salt" using authMSQL? - Added by Yusuke Masuda almost 6 years ago

Sorry, my env cannot upload attached file.
I show its diff.

55c55
< +  enc_len01 = ap_base64decode(scrambled_sent_pw, buffer);
---
> +  enc_len = ap_base64decode(scrambled_sent_pw, buffer);
58c58
< +  return  strcasecmp(bin2hex(pool, scrambled_salt_pw, enc_len01), real_pw) == 0;
---
> +  return  strcasecmp(bin2hex(pool, scrambled_salt_pw, enc_len), real_pw) == 0;

RE: How to deal with "salt" using authMSQL? - Added by Ross Tang over 3 years ago

Yusuke Masuda wrote:

Sorry, my env cannot upload attached file.
I show its diff.

[...]

vi mod_auth_mysql-3.0.0-redmine.patch

...
+/* checks SHA1 passwords - adjusted for use with redmine */
+static short pw_sha1_rm(POOL * pool, const char * real_pw, const char * sent_pw, const char * salt) {
...
+  short enc_len = 0;
+  short enc_len01 = 0;
+  short pass = 0;
+#ifdef APACHE2
...
+  scrambled_salt_pw[enc_len01] = '\0';
+  pass = strcasecmp(bin2hex(pool, scrambled_salt_pw, enc_len01), real_pw);
+#else
...
+  scrambled_sent_pw[enc_len] = '\0';
+  pass = strcasecmp(bin2hex(pool, scrambled_sent_pw, enc_len), real_pw);
+#endif
+  return pass == 0;
+}
+

(1-12/12)