https://www.redmine.org/https://www.redmine.org/favicon.ico?16793021292010-01-23T19:08:08ZRedmineRedmine - Feature #4640: Change password hash to be compatible with Apachehttps://www.redmine.org/issues/4640?journal_id=137802010-01-23T19:08:08ZJerry Van Baren
<ul></ul><p>In the patch, lines 96-108 of <code>app/models/user.rb</code> (backwards compatibility) are not strictly needed, assuming the migration is done to convert the password encoding.</p> Redmine - Feature #4640: Change password hash to be compatible with Apachehttps://www.redmine.org/issues/4640?journal_id=137812010-01-23T19:31:54ZJerry Van Baren
<ul></ul><p>For reference, this improves on<br /><a class="external" href="http://www.redmine.org/wiki/1/Repositories_access_control_with_apache_mod_dav_svn_and_mod_perl">http://www.redmine.org/wiki/1/Repositories_access_control_with_apache_mod_dav_svn_and_mod_perl</a></p> Redmine - Feature #4640: Change password hash to be compatible with Apachehttps://www.redmine.org/issues/4640?journal_id=137822010-01-23T21:34:34ZHolger Just
<ul></ul><p>Note that Apache can already authenticate against MySQL using the <code>auth-mysql</code> module. See <a class="external" href="http://maff.ailoo.net/2009/03/authenticate-apache-against-redmine-with-authmysql/">http://maff.ailoo.net/2009/03/authenticate-apache-against-redmine-with-authmysql/</a></p>
<p>There exists a similar module for postgres (<a href="http://www.giuseppetanzilli.it/mod_auth_pgsql2/" class="external"><code>mod_auth_pgsql2</code></a> or <code>libapache2-mod-auth-pgsql</code> in Debian) which unfortunately is not able to generate SHA1 hashes by itself. One could however send the original (unhashed) password in the SQL query string and use the <abbr title="">SHA1</abbr> function from <a href="http://www.postgresql.org/docs/8.3/static/pgcrypto.html" class="external">pgcrypto</a></p>
<p>I wanted to test this, but had not yet time to do so. But it should be possible.</p> Redmine - Feature #4640: Change password hash to be compatible with Apachehttps://www.redmine.org/issues/4640?journal_id=137842010-01-23T22:04:40ZJerry Van Baren
<ul></ul><p>mod_authn_dbd is a generic way to authenticate against a SQL database. It appears to be a better solution than database-specific mods like mod-auth-mysql, mod_auth_pgsql2, or libapache2-mod-auth-pgsql.</p>
<p>Based on the fact that mod_authn_dbd is listed on the <a href="http://httpd.apache.org/docs/2.2/mod/" class="external">Apache 2.2 site</a> and the others are not, I would conclude it is a better choice.</p>
<p>Note that my patch is really a one line change to simply put the hash in an Apache-compatible format, the rest of the code is a migration to the Apache-compatible format and some backwards compatibility code that probably is unnecessary (it was helpful for my testing).</p> Redmine - Feature #4640: Change password hash to be compatible with Apachehttps://www.redmine.org/issues/4640?journal_id=137852010-01-23T22:45:43ZHolger Just
<ul></ul><p>Well at least you would also have to patch <a class="source" href="https://www.redmine.org/projects/redmine/repository/svn/entry/trunk/extra/svn/Redmine.pm#L277">source:/trunk/extra/svn/Redmine.pm#L277</a> to use your new password scheme.</p>
<p>Another alternative would be to use the following statement as AuthDBDUserPWQuery which should generate the needed format on the fly. It looks a bit ugly but the encode(decode()) is needed to please postgres' type system.<br /><pre>
# mod_authn_dbd SQL query to authenticate a user
AuthDBDUserPWQuery "SELECT '{SHA}' || encode(decode(hashed_password, 'escape'), 'base64') FROM users WHERE login = %s"
</pre> Using this SQL string your patch would not be needed at the cost of a bit of database overhead.</p> Redmine - Feature #4640: Change password hash to be compatible with Apachehttps://www.redmine.org/issues/4640?journal_id=137882010-01-23T23:53:11ZJerry Van Baren
<ul></ul><blockquote>
<p>Well at least you would also have to patch <a class="source" href="https://www.redmine.org/projects/redmine/repository/svn/entry/trunk/extra/svn/Redmine.pm#L277">source:/trunk/extra/svn/Redmine.pm#L277</a> to use your new password scheme.</p>
</blockquote>
<p>No, the patch makes <code>Redmine.pm</code> <em>unnecessary.</em> It isn't <em>my</em> password scheme, it is the "native" Apache password encoding and thus Apache can use the Redmine database <em>directly</em> for authentication.</p>
<blockquote>
<p>AuthDBDUserPWQuery "SELECT '{SHA}' || encode(decode(hashed_password, 'escape'), 'base64') FROM users WHERE login = %s"</p>
</blockquote>
<p>That is sort of where I started. The above SQL is engine-specific: the above is Postgresql-syntax, the other dB engines use a different syntax to concatenate strings. Ugly, annoying, and error-prone.</p>
<blockquote>
<p>Using this SQL string your patch would not be needed at the cost of a bit of database overhead.</p>
</blockquote>
<p>But it is silly to save a hexadecimal encoded hash only to convert it to base64 while extracting it. Redmine "encapsulates" the password handling in the <code>User</code> class, so a simple change to <code>User</code> and a simple migration is transparent to the users of <code>User</code>.</p>
<p>Nobody in Redmine other than <code>User</code> cares if it is hexadecimal encoded or base64 encoded. There is no reason that the Redmine database should not store the password hash in the Apache format vs. the hexadecimal format. In addition, the patch changes makes it work with all dB engines.</p> Redmine - Feature #4640: Change password hash to be compatible with Apachehttps://www.redmine.org/issues/4640?journal_id=137892010-01-24T00:28:13ZHolger Just
<ul></ul><p>Just tried it on my server and noticed an error in the SQL string. It should be<br /><pre>
# mod_authn_dbd SQL query to authenticate a user
AuthDBDUserPWQuery "SELECT '{SHA}' || encode(decode(hashed_password, 'hex'), 'base64') FROM users WHERE login = %s"
</pre></p>
<p>While this technically works, it still lacks a very important factor! Yes, it will go to the database and look for a given user. But is does not check if the user has the correct right on the specific repository. You would have to inject the current project name (as retrieved from the URL) into the query to generate a query similar to:</p>
<pre>
SELECT
'{SHA}' || encode(decode(users.hashed_password, 'hex'), 'base64')
FROM members, projects, users, roles, member_roles
WHERE
projects.id = members.project_id
AND member_roles.member_id = members.id
AND users.id = members.user_id
AND roles.id = member_roles.role_id
AND users.status=1
AND users.login = %s
AND projects.identifier = <project_identifier>
AND roles.permissions LIKE '%- :browse_repository%;
</pre>
<p>And I have no idea how to do that. From what I've read, it is not possible, is it?</p> Redmine - Feature #4640: Change password hash to be compatible with Apachehttps://www.redmine.org/issues/4640?journal_id=137902010-01-24T00:50:41ZHolger Just
<ul></ul><p>First I really like the idea of getting rid of Redmine.pm as it is the only reason for a preforked apache and mod_perl in my installation. So in the end, I'm on your side ;)</p>
<p>Jerry Van Baren wrote:</p>
<blockquote>
<p>No, the patch makes Redmine.pm unnecessary. It isn't my password scheme, it is the "native" Apache password encoding and thus Apache can use the Redmine database directly for authentication.</p>
</blockquote>
<p>I think, we should be able to support Redmine.pm for a while. Some people might not be able to run mod_dbd. Also, Redmine.pm allows to transparently authenticate against LDAP.</p>
<blockquote><blockquote>
<p>AuthDBDUserPWQuery "SELECT '{SHA}' || encode(decode(hashed_password, 'escape'), 'base64') FROM users WHERE login = %s"</p>
</blockquote>
<p>That is sort of where I started. The above SQL is engine-specific: the above is Postgresql-syntax, the other dB engines use a different syntax to concatenate strings. Ugly, annoying, and error-prone.</p>
</blockquote>
<p>I am sure every database (except maybe for sqlite) would allow such a concept.</p>
<blockquote>
<blockquote>
<p>Using this SQL string your patch would not be needed at the cost of a bit of database overhead.</p>
</blockquote>
<p>Nobody in Redmine other than <code>User</code> cares if it is hexadecimal encoded or base64 encoded. There is no reason that the Redmine database should not store the password hash in the Apache format vs. the hexadecimal format. In addition, the patch changes makes it work with all dB engines.</p>
</blockquote>
<p>I see that there is actually some overhead in my approach. But I fear that there might be issues with other authentication schemes or plugins. But this is just a gut feeling...</p>
<p>The main problem (aka. show stopper) is the desire to authenticate for a specific repository/project not just <em>any</em> user.</p> Redmine - Feature #4640: Change password hash to be compatible with Apachehttps://www.redmine.org/issues/4640?journal_id=149862010-03-08T21:01:28ZJean-Philippe Langjp_lang@yahoo.fr
<ul></ul><p>Holger Just wrote:</p>
<blockquote>
<p>While this technically works, it still lacks a very important factor! Yes, it will go to the database and look for a given user. But is does not check if the user has the correct right on the specific repository.</p>
</blockquote>
<p>Indeed, it doesn't eliminate the need for the Redmine.pm.</p> Redmine - Feature #4640: Change password hash to be compatible with Apachehttps://www.redmine.org/issues/4640?journal_id=232202010-12-16T01:47:16ZJerry Van Baren
<ul><li><strong>File</strong> <a href="/attachments/5018">base64_hash.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/5018/base64_hash.patch">base64_hash.patch</a> added</li></ul><p>Updated the patch to apply against version 1.0.4</p>
<p>To authenticate from Apache against the Redmine database, use the mod_dbd and a sql query (no perl wedge necessary):<br /><pre>
# mod_dbd configuration to authenticate against Redmine
DBDriver pgsql
DBDParams "host=127.0.0.1 port=5432 dbname=[dbname] user=[user] password=[seekrit]"
DBDMin 4
DBDKeep 8
DBDMax 20
DBDExptime 300
<Location /share>
DAV svn
SVNParentPath "/srv/svn"
SVNAutoversioning on # do auto checkout/replacement
ModMimeUsePathInfo on # guess the mime type
AuthType Basic
Authname "Subversion File Share"
AuthBasicProvider dbd
Require valid-user
# mod_authn_dbd SQL query to authenticate a user
# group_id can be determined by looking in the
# Administration groups page.
AuthDBDUserPWQuery "SELECT hashed_password FROM users WHERE login = %s AND id IN (SELECT user_id FROM groups_users WHERE group_id = 4)"
</Location>
</pre></p> Redmine - Feature #4640: Change password hash to be compatible with Apachehttps://www.redmine.org/issues/4640?journal_id=232212010-12-16T01:53:24ZJerry Van Baren
<ul></ul><p>P.S. I hardcoded the group ID "<code>WHERE group_id = 4</code>" in the SQL statement because the group ID will generally be a "figure out once, never changes" behavior. I didn't feel it was worth more looking up to make the group ID more user friendly.</p> Redmine - Feature #4640: Change password hash to be compatible with Apachehttps://www.redmine.org/issues/4640?journal_id=270112011-03-24T07:41:11ZToshi MARUYAMA
<ul><li><strong>Category</strong> set to <i>SCM extra</i></li></ul>