Passwords not working after upgrade to rt-4.0.8

RT Users
1

Hi,

First of all apologies for the length of signature (I really can’t do anything about it).
I am in the process of upgrading my rt-3.8.7 to rt-4.0.8 , I followed all the README and Upgrade docs.
I am installing into a clean rt4 directory, and only put in cosmetic customisation .
Ran
make upgrade-database
perl -I /opt/rt4/local/lib -I /opt/rt4/lib etc/upgrade/shrink_transactions_table.pl
perl etc/upgrade/vulnerable-passwords --fix

However now the root user and my user cannot login to the interface getting username or password incorrect error.
I guess its all to do with vulnerable-passwords! I have seen few posts about this issue, but have n’t seen a fix that applies to my situation,

My Users table:
| Users | CREATE TABLE Users (
id int(11) NOT NULL AUTO_INCREMENT,
Name varchar(200) NOT NULL DEFAULT ‘’,
Password varchar(256) DEFAULT NULL,
Comments text,
Signature text,
EmailAddress varchar(120) CHARACTER SET ascii DEFAULT NULL,
FreeformContactInfo text,
Organization varchar(200) DEFAULT NULL,
RealName varchar(120) DEFAULT NULL,
NickName varchar(16) DEFAULT NULL,
Lang varchar(16) CHARACTER SET ascii DEFAULT NULL,
EmailEncoding varchar(16) CHARACTER SET ascii DEFAULT NULL,
WebEncoding varchar(16) CHARACTER SET ascii DEFAULT NULL,
ExternalContactInfoId varchar(100) DEFAULT NULL,
ContactInfoSystem varchar(30) DEFAULT NULL,
ExternalAuthId varchar(100) DEFAULT NULL,
AuthSystem varchar(30) DEFAULT NULL,
Gecos varchar(16) DEFAULT NULL,
HomePhone varchar(30) DEFAULT NULL,
WorkPhone varchar(30) DEFAULT NULL,
MobilePhone varchar(30) DEFAULT NULL,
PagerPhone varchar(30) DEFAULT NULL,
Address1 varchar(200) DEFAULT NULL,
Address2 varchar(200) DEFAULT NULL,
City varchar(100) DEFAULT NULL,
State varchar(100) DEFAULT NULL,
Zip varchar(16) DEFAULT NULL,
Country varchar(50) DEFAULT NULL,
Timezone varchar(50) CHARACTER SET ascii DEFAULT NULL,
PGPKey blob,
Creator int(11) NOT NULL DEFAULT ‘0’,
Created datetime DEFAULT NULL,
LastUpdatedBy int(11) NOT NULL DEFAULT ‘0’,
LastUpdated datetime DEFAULT NULL,
AuthToken varchar(16) CHARACTER SET ascii DEFAULT NULL,
PRIMARY KEY (id),
UNIQUE KEY Users1 (Name),
KEY Users2 (Name),
KEY Users3 (id,EmailAddress),
KEY Users4 (EmailAddress)
) ENGINE=InnoDB AUTO_INCREMENT=12734800 DEFAULT CHARSET=utf8 |

Also if its helps, the password entry for my user:
Password: !sha512!5B7CB45ok1NPS+Ig!LITc6RFH4wTOfqz

There is very little of any use in the log file (Logging and Statement log both set to ‘debug’), and the only message I get is:
[Wed Jan 30 17:25:43 2013] [error]: FAILED LOGIN for xxxxx from xxxxxx (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:739)

The sql server is mysql Ver 14.14 Distrib 5.1.66

Any help will truly be appreciated.

Regards;
Roy

Visit our website today www.daisygroupplc.com

Registered Office: Daisy House, Lindred Road Business Park, Nelson, Lancashire BB9 5SR
Company Registration Number: 4145329 | VAT Number: 722471355
Daisy Communications Limited is a company registered in England and Wales.
DISCLAIMER

This email (including any attachments) is strictly confidential and may also be legally privileged. If the recipient has received this email in error please notify the sender and do not read, print, re-transmit, store or act in reliance on the email or its attachments and immediately delete this email and its attachments from the recipient’s system. Daisy Communications Limited cannot accept liability for any breaches of confidence arising through use of email. Employees of Daisy Communications Limited are expressly required not to make any defamatory statements and not to infringe or authorise any infringement of copyright or any other legal right by email communications. Any such communication is contrary to the company’s policy and outside the scope of the employment of the individual concerned. Daisy Communications Limited will not accept any liability in respect of such a communication, and the employee responsible will be personally liable for any damages or other liability arising.

If you are the intended recipient of this email please ensure that neither the email nor any attachments are copied to third parties outside your organisation or saved without the written permission of the sender. In the event of any unauthorised copying or forwarding, the recipient will be required to indemnify Daisy Communications Limited against any claim for loss or damage caused by any viruses or otherwise.

WARNING: Computer viruses can be transmitted by email. The recipient should check this email and any attachments for the presence of viruses. Daisy Communications Limited accepts no liability for any damage caused by any virus transmitted by this email or any attachments.
NOTICE TO CUSTOMERS
If you have ordered a telephone number from Daisy Communications Limited (non-geographic or new line installation) please do NOT arrange for any form of advertising until the number is live and tested.

2

First of all apologies for the length of signature (I really can’t do anything about it).
I am in the process of upgrading my rt-3.8.7 to rt-4.0.8 , I followed all the README and Upgrade docs.
I am installing into a clean rt4 directory, and only put in cosmetic customisation .

[snip]

My Users table:
| Users | CREATE TABLE Users (
id int(11) NOT NULL AUTO_INCREMENT,
Name varchar(200) NOT NULL DEFAULT ‘’,
Password varchar(256) DEFAULT NULL,

[snip]

Also if its helps, the password entry for my user:
Password: !sha512!5B7CB45ok1NPS+Ig!LITc6RFH4wTOfqz

Despite the longer column size, your password value is truncated. This
is usually the result of an incomplete database upgrade that left the
column length at 40.

Can you reply with your /opt/rt4/lib/RT/User.pm and anything in
/opt/rt4/local/lib/?

Thomas

3

Hi Thomas,

Thanks for your response.
There is nothing in my local/lib (no local changes applied yet):
[root@rt-dev lib]# pwd
/opt/rt4/local/lib
[root@rt-dev lib]# ls -al
total 8
drwxr-xr-x 2 root root 4096 Jan 7 15:35 .
drwxr-xr-x 7 root root 4096 Jan 7 15:35 …

My User.pm is attached (please note I have made any changes there either).

Regards;
Roy

Visit our website today www.daisygroupplc.com

Registered Office: Daisy House, Lindred Road Business Park, Nelson, Lancashire BB9 5SR
Company Registration Number: 4145329 | VAT Number: 722471355
Daisy Communications Limited is a company registered in England and Wales.
DISCLAIMER

This email (including any attachments) is strictly confidential and may also be legally privileged. If the recipient has received this email in error please notify the sender and do not read, print, re-transmit, store or act in reliance on the email or its attachments and immediately delete this email and its attachments from the recipient’s system. Daisy Communications Limited cannot accept liability for any breaches of confidence arising through use of email. Employees of Daisy Communications Limited are expressly required not to make any defamatory statements and not to infringe or authorise any infringement of copyright or any other legal right by email communications. Any such communication is contrary to the company’s policy and outside the scope of the employment of the individual concerned. Daisy Communications Limited will not accept any liability in respect of such a communication, and the employee responsible will be personally liable for any damages or other liability arising.

If you are the intended recipient of this email please ensure that neither the email nor any attachments are copied to third parties outside your organisation or saved without the written permission of the sender. In the event of any unauthorised copying or forwarding, the recipient will be required to indemnify Daisy Communications Limited against any claim for loss or damage caused by any viruses or otherwise.

WARNING: Computer viruses can be transmitted by email. The recipient should check this email and any attachments for the presence of viruses. Daisy Communications Limited accepts no liability for any damage caused by any virus transmitted by this email or any attachments.
NOTICE TO CUSTOMERS
If you have ordered a telephone number from Daisy Communications Limited (non-geographic or new line installation) please do NOT arrange for any form of advertising until the number is live and tested.From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Thomas Sibley
Sent: 30 January 2013 19:20
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Passwords not working after upgrade to rt-4.0.8

First of all apologies for the length of signature (I really can’t do anything about it).
I am in the process of upgrading my rt-3.8.7 to rt-4.0.8 , I followed all the README and Upgrade docs.
I am installing into a clean rt4 directory, and only put in cosmetic customisation .

[snip]

My Users table:
| Users | CREATE TABLE Users (
id int(11) NOT NULL AUTO_INCREMENT,
Name varchar(200) NOT NULL DEFAULT ‘’,
Password varchar(256) DEFAULT NULL,

[snip]

Also if its helps, the password entry for my user:
Password: !sha512!5B7CB45ok1NPS+Ig!LITc6RFH4wTOfqz

Despite the longer column size, your password value is truncated. This is usually the result of an incomplete database upgrade that left the column length at 40.

Can you reply with your /opt/rt4/lib/RT/User.pm and anything in /opt/rt4/local/lib/?

Thomas

User.pm.txt (61.7 KB)

4

Thomas,

Just incase this helps you in the diagnoses .
I managed to changed my user password via perl script and rt api.
Managed to login and change my password from web ui, logout then in again …still works
Changed root password , then logged in as root and it worked.
Password hash now looks better: !sha512!KKxW98Esg+bVXzfM!aWfTpkuRONLZaGwSFApCqXwS8nAlLshdeDLfhb0aV/2he4Hp7Gwu3eqkcx9PgA+CR2QESSuAMvGwNH2BplVZGQ

So we know the database schema changes have been applied

I checked if this isolated to my user and root , quick look in the Users table:
mysql> select count() from Users where length(Password) > 42 ;
| count() |
| 3 |
These 3 accounts are my user root and an account I created today.

But I am left with:
mysql> select count() from Users where Password != ‘NO-PASSWORD’ and length(Password) < 43 ;
| count() |
| 2343 |

Any pointers??

Roy

Visit our website today www.daisygroupplc.com

Registered Office: Daisy House, Lindred Road Business Park, Nelson, Lancashire BB9 5SR
Company Registration Number: 4145329 | VAT Number: 722471355
Daisy Communications Limited is a company registered in England and Wales.
DISCLAIMER

This email (including any attachments) is strictly confidential and may also be legally privileged. If the recipient has received this email in error please notify the sender and do not read, print, re-transmit, store or act in reliance on the email or its attachments and immediately delete this email and its attachments from the recipient’s system. Daisy Communications Limited cannot accept liability for any breaches of confidence arising through use of email. Employees of Daisy Communications Limited are expressly required not to make any defamatory statements and not to infringe or authorise any infringement of copyright or any other legal right by email communications. Any such communication is contrary to the company’s policy and outside the scope of the employment of the individual concerned. Daisy Communications Limited will not accept any liability in respect of such a communication, and the employee responsible will be personally liable for any damages or other liability arising.

If you are the intended recipient of this email please ensure that neither the email nor any attachments are copied to third parties outside your organisation or saved without the written permission of the sender. In the event of any unauthorised copying or forwarding, the recipient will be required to indemnify Daisy Communications Limited against any claim for loss or damage caused by any viruses or otherwise.

WARNING: Computer viruses can be transmitted by email. The recipient should check this email and any attachments for the presence of viruses. Daisy Communications Limited accepts no liability for any damage caused by any virus transmitted by this email or any attachments.
NOTICE TO CUSTOMERS
If you have ordered a telephone number from Daisy Communications Limited (non-geographic or new line installation) please do NOT arrange for any form of advertising until the number is live and tested.From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Raed El-Hames
Sent: 31 January 2013 11:11
To: Thomas Sibley; rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Passwords not working after upgrade to rt-4.0.8

Hi Thomas,

Thanks for your response.
There is nothing in my local/lib (no local changes applied yet):
[root@rt-dev lib]# pwd
/opt/rt4/local/lib
[root@rt-dev lib]# ls -al
total 8
drwxr-xr-x 2 root root 4096 Jan 7 15:35 .
drwxr-xr-x 7 root root 4096 Jan 7 15:35 …

My User.pm is attached (please note I have made any changes there either).

Regards;
Roy

Visit our website today www.daisygroupplc.com

Registered Office: Daisy House, Lindred Road Business Park, Nelson, Lancashire BB9 5SR
Company Registration Number: 4145329 | VAT Number: 722471355
Daisy Communications Limited is a company registered in England and Wales.
DISCLAIMER

This email (including any attachments) is strictly confidential and may also be legally privileged. If the recipient has received this email in error please notify the sender and do not read, print, re-transmit, store or act in reliance on the email or its attachments and immediately delete this email and its attachments from the recipient’s system. Daisy Communications Limited cannot accept liability for any breaches of confidence arising through use of email. Employees of Daisy Communications Limited are expressly required not to make any defamatory statements and not to infringe or authorise any infringement of copyright or any other legal right by email communications. Any such communication is contrary to the company’s policy and outside the scope of the employment of the individual concerned. Daisy Communications Limited will not accept any liability in respect of such a communication, and the employee responsible will be personally liable for any damages or other liability arising.

If you are the intended recipient of this email please ensure that neither the email nor any attachments are copied to third parties outside your organisation or saved without the written permission of the sender. In the event of any unauthorised copying or forwarding, the recipient will be required to indemnify Daisy Communications Limited against any claim for loss or damage caused by any viruses or otherwise.

WARNING: Computer viruses can be transmitted by email. The recipient should check this email and any attachments for the presence of viruses. Daisy Communications Limited accepts no liability for any damage caused by any virus transmitted by this email or any attachments.
NOTICE TO CUSTOMERS
If you have ordered a telephone number from Daisy Communications Limited (non-geographic or new line installation) please do NOT arrange for any form of advertising until the number is live and tested.

From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Thomas Sibley
Sent: 30 January 2013 19:20
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Passwords not working after upgrade to rt-4.0.8

First of all apologies for the length of signature (I really can’t do anything about it).
I am in the process of upgrading my rt-3.8.7 to rt-4.0.8 , I followed all the README and Upgrade docs.
I am installing into a clean rt4 directory, and only put in cosmetic customisation .

[snip]

My Users table:
| Users | CREATE TABLE Users (
id int(11) NOT NULL AUTO_INCREMENT,
Name varchar(200) NOT NULL DEFAULT ‘’,
Password varchar(256) DEFAULT NULL,

[snip]

Also if its helps, the password entry for my user:
Password: !sha512!5B7CB45ok1NPS+Ig!LITc6RFH4wTOfqz

Despite the longer column size, your password value is truncated. This is usually the result of an incomplete database upgrade that left the column length at 40.

Can you reply with your /opt/rt4/lib/RT/User.pm and anything in /opt/rt4/local/lib/?

Thomas