Project

General

Profile

How to generate user password for migration

Added by Christoph Keimel over 11 years ago

Hello

I am currently migrating from a custom system to redmine 2.0.3 and I would like to create the appropriate inserts into the table USER keeping the password from the legacy system. For this I need to translate the algorythm for creating the password string stored in USER.HASHED_PASSWORD and USER.SALT to Java (the language of my choice).

I'm assuming SALT is randomly generated. I have read some posts and found different information for HASHED_PASSWORD.

sha1($salt . sha1($password));
SHA1( cleatextpasswd + SHA1(salt) )
See:

I would be very happy, if someone could clarify.

Thank you!
Christoph


Replies (6)

RE: How to generate user password for migration - Added by William Roush over 11 years ago

When all else fails, refer to source:

https://bitbucket.org/redmine/redmine-all/src/c06f74894d2c/app/models/user.rb#cl-253

self.hashed_password = User.hash_password("#{salt}#{User.hash_password clear_password}")

In ruby:

#{salt} == salt value.

#{User.hash_password clear_password} == call method User.hash_password with clear_password as the param.

All this is wrapped in another User.hash_password, so it runs an SHA1 hash again.

Or as I pointed out in PHP:

sha1($salt . sha1($password));

RE: How to generate user password for migration - Added by Christoph Keimel over 11 years ago

Thanks for the quick reply!

I a not quite clear on how the parameters are formated as a string bevor they are passed to the User.hash_password function.

I'll try to make the question clearer:
How is $salt formated for the string concatination? As a number in hex, like it is saved in the database?
Similar question: Does User.hash_password return the hash-result as a string or a number? If it is a number, is it formated in hex or in dec?

RE: How to generate user password for migration - Added by William Roush over 11 years ago

Christoph Keimel wrote:

Thanks for the quick reply!

I a not quite clear on how the parameters are formated as a string bevor they are passed to the User.hash_password function.

I'll try to make the question clearer:
How is $salt formated for the string concatination? As a number in hex, like it is saved in the database?
Similar question: Does User.hash_password return the hash-result as a string or a number? If it is a number, is it formated in hex or in dec?

Salt is 16bytes of random hex, stored as a string in the database with the user's password.

User.hash_password uses Digest::SHA1.hexdigest which returns an SHA-1 hash (hex), return type is a string though.

RE: How to generate user password for migration - Added by Christoph Keimel over 11 years ago

Thanks. It's up und running.

If anyone should need this ... here is the Java equivalent for User.hash_password:

public static String sha1(String password) {
    try {
        MessageDigest md = MessageDigest.getInstance("SHA-1");
        byte[] hash = md.digest(password.getBytes());
        BigInteger bi = new BigInteger(1, hash);
        return String.format("%0" + (hash.length << 1) + "x", bi);
    } catch (NoSuchAlgorithmException e) {
        e.printStackTrace();
    }
    return null;
}

To create the hashed_password in Java you would call:

String hashed_password = sha1(salt + sha1(password));

RE: How to generate user password for migration - Added by Brian Rose over 7 years ago

How much of this is machine or OS dependent? We are trying to migrate a 2.6.x Redmine on CentOS to a 3.3.x on Ubuntu and we cannot get into the admin account.

I have the following BASH script to try to work out the new parameters

REDMINEPASS="<password>" 
REDMINESALT="<salt value from 2.6.x db>" 
TEMP1=`echo $REDMINEPASS | openssl sha1`

SHAPASS=`echo ${TEMP1:9}`  # openssl returns "(stdin)= " before the hash on the command line. Trim the first 9 bytes

HASH=`echo $REDMINESALT$SHAPASS | openssl sha1`

echo ${HASH:9}

RE: How to generate user password for migration - Added by Brian Rose over 7 years ago

Here is a little cleaner one using sha1sum. Note the two methods generate different results.

  SHAPASS=`echo $REDMINEPASS | sha1sum`
  HASH=`echo $REDMINESALT$SHAPASS | sha1sum`
  echo $HASH
    (1-6/6)