Password Encryption Used By RT

John_Gedeon · November 8, 2002, 4:28pm

I am evaluating the RT system and noticed that the passwords stored in the
database are encrypted (good job i wasn’t expecting that ) but I was
wondering what algorithm was used. I hope its the same as unix based
passwords I am hoping to be able to add the functionality that all users in
RT that get greated by them sending in a request will have their unix
password (and id which is usually their email address as well) be their rt
pass. the easyiest way would ofcourse be cut encrypted pass from passfile
and paste into rt user table, but I wanted to make sure the encryption was
the same…

Thanks for any hints
John

<>< Proverbs 3:5 “Trust in the Lord with all your heart and lean not on
your own understanding;”

Rick_Bradley · November 8, 2002, 4:41pm

John Gedeon (jgedeon@qualcomm.com) [021108 10:32]:

I am evaluating the RT system and noticed that the passwords stored in the
database are encrypted (good job i wasn’t expecting that ) but I was
wondering what algorithm was used. I hope its the same as unix based
passwords I am hoping to be able to add the functionality that all users in
RT that get greated by them sending in a request will have their unix
password (and id which is usually their email address as well) be their rt
pass. the easyiest way would ofcourse be cut encrypted pass from passfile
and paste into rt user table, but I wanted to make sure the encryption was
the same…

The passwords are encrypted with crypt(). This is common for Unix
passwords, but not necessarily identical with what a particular system
uses. Many newer systems will use md5 login passwords which look a bit
different, function similarly, and use a completely different hashing
algorithm than crypt.

It is straightforward to mix and match crypt() and md5() password within
the same password file/database where supported, but I’m not aware that
RT has this capability (yet).

In short, if your system uses crypt() passwords then you should be able
to cut and paste from the passwd file, otherwise no.

Rick
http://www.rickbradley.com MUPRN: 60 (59F/56F)
| mean if anyone
random email haiku | knew me that well I’d have to
| fall in love with them.

Dave_Ewart · November 8, 2002, 4:52pm

In short, if your system uses crypt() passwords then you should be
able to cut and paste from the passwd file, otherwise no.

Or, you could set RT to use “external” authentication, which means that
the authenticated user passed by Apache is accepted and used by RT. You
can then create a password file, for use by Apache, containing the MD5
passwords from elsewhere. If you’d like more details, let me know.

Dave.
Dave Ewart
Dave.Ewart@cancer.org.uk
Computing Manager, Epidemiology Unit, Oxford
Cancer Research UK
PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370

John_Gedeon · November 8, 2002, 5:51pm

Dave,
Yeah could you go into more detail?
Thanks for the info
John

At 08:52 AM 11/8/2002, Dave Ewart wrote:>On Friday, 08.11.2002 at 10:41 -0600, Rick Bradley wrote:

In short, if your system uses crypt() passwords then you should be
able to cut and paste from the passwd file, otherwise no.

Or, you could set RT to use “external” authentication, which means that
the authenticated user passed by Apache is accepted and used by RT. You
can then create a password file, for use by Apache, containing the MD5
passwords from elsewhere. If you’d like more details, let me know.

Dave.

Dave Ewart
Dave.Ewart@cancer.org.uk
Computing Manager, Epidemiology Unit, Oxford
Cancer Research UK
PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370

rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm

<>< Proverbs 3:5 “Trust in the Lord with all your heart and lean not on
your own understanding;”

John_Gedeon · November 8, 2002, 5:53pm

Rick
if our passwords used md5 (i am not sure if they do) would it be possible
to hack rt to use the same thing or is there no md5 function for perl?
John

At 08:41 AM 11/8/2002, Rick Bradley wrote:

John Gedeon (jgedeon@qualcomm.com) [021108 10:32]:

I am evaluating the RT system and noticed that the passwords stored in the
database are encrypted (good job i wasn’t expecting that ) but I was
wondering what algorithm was used. I hope its the same as unix based
passwords I am hoping to be able to add the functionality that all
users in
RT that get greated by them sending in a request will have their unix
password (and id which is usually their email address as well) be their rt
pass. the easyiest way would ofcourse be cut encrypted pass from passfile
and paste into rt user table, but I wanted to make sure the encryption was
the same…

The passwords are encrypted with crypt(). This is common for Unix
passwords, but not necessarily identical with what a particular system
uses. Many newer systems will use md5 login passwords which look a bit
different, function similarly, and use a completely different hashing
algorithm than crypt.

It is straightforward to mix and match crypt() and md5() password within
the same password file/database where supported, but I’m not aware that
RT has this capability (yet).

In short, if your system uses crypt() passwords then you should be able
to cut and paste from the passwd file, otherwise no.

Rick

http://www.rickbradley.com MUPRN: 60 (59F/56F)
| mean if anyone
random email haiku | knew me that well I’d have to
| fall in love with them.

rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm

<>< Proverbs 3:5 “Trust in the Lord with all your heart and lean not on
your own understanding;”

Rich_Lafferty · November 8, 2002, 6:21pm

John Gedeon (jgedeon@qualcomm.com) [021108 10:32]:

I am evaluating the RT system and noticed that the passwords stored in the
database are encrypted (good job i wasn’t expecting that ) but I was
wondering what algorithm was used. I hope its the same as unix based
passwords I am hoping to be able to add the functionality that all users in
RT that get greated by them sending in a request will have their unix
password (and id which is usually their email address as well) be their rt
pass. the easyiest way would ofcourse be cut encrypted pass from passfile
and paste into rt user table, but I wanted to make sure the encryption was
the same…

The passwords are encrypted with crypt(). This is common for Unix
passwords, but not necessarily identical with what a particular system
uses. Many newer systems will use md5 login passwords which look a bit
different, function similarly, and use a completely different hashing
algorithm than crypt.

No, crypt() uses more than one algorithm on most systems that support
MD5 passwords, and figures out which to use by the hash. In my
experience, anything that works in your passwd file works in RT.

-Rich

Rich Lafferty --------------±----------------------------------------------
Ottawa, Ontario, Canada | Save the Pacific Northwest Tree Octopus!
http://www.lafferty.ca/ | Save The Pacific Northwest Tree Octopus
rich@lafferty.ca -----------±----------------------------------------------

Rich_Lafferty · November 8, 2002, 6:47pm

John Gedeon (jgedeon@qualcomm.com) [021108 10:32]:

I am evaluating the RT system and noticed that the passwords stored in the
database are encrypted (good job i wasn’t expecting that ) but I was
wondering what algorithm was used. I hope its the same as unix based
passwords I am hoping to be able to add the functionality that all users in
RT that get greated by them sending in a request will have their unix
password (and id which is usually their email address as well) be their rt
pass. the easyiest way would ofcourse be cut encrypted pass from passfile
and paste into rt user table, but I wanted to make sure the encryption was
the same…

The passwords are encrypted with crypt(). This is common for Unix
passwords, but not necessarily identical with what a particular system
uses. Many newer systems will use md5 login passwords which look a bit
different, function similarly, and use a completely different hashing
algorithm than crypt.

No, crypt() uses more than one algorithm on most systems that support
MD5 passwords, and figures out which to use by the hash.

Gnar. By the salt, of course.

$ perl -le ‘print crypt(“foo”,q($1$abcdefgh))’
$1$abcdefgh$XxzGe9Muun7wTYbZO4sdr0

-Rich

Rich Lafferty --------------±----------------------------------------------
Ottawa, Ontario, Canada | Save the Pacific Northwest Tree Octopus!
http://www.lafferty.ca/ | Save The Pacific Northwest Tree Octopus
rich@lafferty.ca -----------±----------------------------------------------

Rick_Bradley · November 8, 2002, 7:04pm

Rich Lafferty (rich+rt@lafferty.ca) [021108 12:28]:

No, crypt() uses more than one algorithm on most systems that support
MD5 passwords, and figures out which to use by the hash. In my
experience, anything that works in your passwd file works in RT.

Agreed. A problem arises when the server system has an old crypt()
which doesn’t understand md5, but users/admins say “just use may
/etc/passwd password from ”. Then again, that sounds a
lot like a call for external auth to me.

Rick
http://www.rickbradley.com MUPRN: 51 (65F/65F)
| RO Hey beautiful,
random email haiku | I think I just missed you on
| the CS dept. system.

Rick_Bradley · November 8, 2002, 7:05pm

John Gedeon (jgedeon@qualcomm.com) [021108 11:56]:

Rick
if our passwords used md5 (i am not sure if they do) would it be possible
to hack rt to use the same thing or is there no md5 function for perl?
John

Certainly (or see about using external auth as suggested by another
poster). Look at Digest::MD5, and/or Crypt::PasswdMD5. IIRC correctly
the encrypted md5 passwords are stored in base64 format with “$1$salt$”
prepended. A search on “md5 salt perl” should turn up some useful
information as well.

I see this, which looks like it’s on the right track:

http://nntp.x.perl.org/group/perl.crypto/45

Essentially you need to generate the correct format for storing the
encrypted md5 password, and then, on lookup during authentication use
the right encryption (md5 vs. des) based on the format of the stored
password.

I haven’t needed to do the full trick in Perl, but a friend [0] and I
did it in PHP for some projects and donated a version to PHPAuth [1] if
you want a free working example. There are probably more concise
examples, and definitely some in Perl, available to the diligent Google
surfer.

[0] http://www.michaelchaney.com/
[1] http://www.phpauth.com/

Rick
http://www.rickbradley.com MUPRN: 950 (65F/65F)
| I’ve used the system
random email haiku | at all hours…), I don’t see
| how that could be true.

Chr_von_Stuckrad · November 8, 2002, 7:07pm

No, crypt() uses more than one algorithm on most systems that support
MD5 passwords, and figures out which to use by the hash.

Gnar. By the salt, of course.

$ perl -le ‘print crypt(“foo”,q($1$abcdefgh))’
$1$abcdefgh$XxzGe9Muun7wTYbZO4sdr0

This seems to be system-dependent!

My perl(s) on LINUX and Solaris both give me:

$ perl -le ‘print crypt(“foo”,q($1$abcdefgh))’
$1BYKQTeiLcrU

Stucki

Vik_Bhatia · November 8, 2002, 7:45pm

I am interested in knowing how to set up RT to use external auth. I use
a perl program to run a LDAP authentication for certain web pages and
would like to do the same with RT. in a nutshell what I do with my other
apps that run through apache is:

Specify the auth type as “basic” the httpd.conf file and the auth
handler as a perl module which runs a LDAP search during the
authorization phase of the http request loop. It returns OK if the
password and username are valid at the LDAP server.

The question I have is, can I use the same mechanism with RT somehow?

Thanks for your help!

-Vik

Dave Ewart wrote:> On Friday, 08.11.2002 at 10:41 -0600, Rick Bradley wrote:

In short, if your system uses crypt() passwords then you should be
able to cut and paste from the passwd file, otherwise no.

Or, you could set RT to use “external” authentication, which means that
the authenticated user passed by Apache is accepted and used by RT. You
can then create a password file, for use by Apache, containing the MD5
passwords from elsewhere. If you’d like more details, let me know.

Dave.

Rich_Lafferty · November 8, 2002, 8:18pm

This seems to be system-dependent!

For obvious reasons, crypt() is libc-dependent.

-Rich

Rich Lafferty --------------±----------------------------------------------
Ottawa, Ontario, Canada | Save the Pacific Northwest Tree Octopus!
http://www.lafferty.ca/ | Save The Pacific Northwest Tree Octopus
rich@lafferty.ca -----------±----------------------------------------------

Dave_Ewart · November 11, 2002, 9:13am

At 08:52 AM 11/8/2002, Dave Ewart wrote:

In short, if your system uses crypt() passwords then you should be
able to cut and paste from the passwd file, otherwise no.

Or, you could set RT to use “external” authentication, which means that
the authenticated user passed by Apache is accepted and used by RT. You
can then create a password file, for use by Apache, containing the MD5
passwords from elsewhere. If you’d like more details, let me know.

Yeah could you go into more detail?
Thanks for the info

A couple of people have asked about this so … try the following:

Set $WebExternalAuth = ‘on’;

in etc/config.pm

This will make Apache responsible for providing RT with an authenticated
username - “external” means external to RT, not necessarily on another
server, for example, as I understand.

in httpd.conf:

Alias /rt2/ /opt/rt2/WebRT/html/
PerlRequire /opt/rt2/bin/webmux.pl
<Location /rt2>
SetHandler perl-script
PerlHandler RT::Mason
AuthType Basic
AuthUserFile /usr/local/apache/conf/htpasswd.users
AuthName “Use normal password”
require valid-user

Note the “AuthUserFile” - this is a file which is only used by RT and I
populate it and keep it up-to-date by using ‘scp’ to pull across the
shadow password file from our main central server (RT is installed on a
different box).

I have the following script run every 15 minutes or so, which updates
the file htpasswd.users from the shadow password file on the other box:

----------------------------------------------------------------------

#!/bin/bash

Copy /etc/shadow and build password file for RT access

HERE=/usr/local/apache/conf
SCP=/usr/local/bin/scp
SHADOW_TARGET=root@centralserver.blah.com:/etc/shadow
SHADOW_LOCAL=$HERE/shadow.tmp
PASSWD_FILE=$HERE/htpasswd.users

$SCP -q $SHADOW_TARGET $SHADOW_LOCAL
cat $SHADOW_LOCAL | cut -f1-2 -d ‘:’ | grep ‘$1$’ > $PASSWD_FILE
rm $SHADOW_LOCAL

----------------------------------------------------------------------

Note that only the username and shadow password are required, hence the
‘cut’ - the ‘grep’ filters out only those password that are valid - they
all start ‘$1$’ on my system, at least.

Hope that helps someone. Don’t forget, stop and then restart Apache
etc.

Dave.
Dave Ewart
Dave.Ewart@cancer.org.uk
Computing Manager, Epidemiology Unit, Oxford
Cancer Research UK
PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370