PHPass and Request Tracker

Hi,

here is part of Set from RT_SiteConfig.pm, only here I could make mistake:

108 Set($ExternalSettings, { # AN EXAMPLE DB SERVICE
109 ‘My_MySQL’ => { ##
GENERIC SECTION
110 # The
type of service (db/ldap/cookie)
111 ‘type’
=> ‘db’,
112 # The
server hosting the service
113
‘server’ => ‘*',
114 ##
SERVICE-SPECIFIC SECTION
115 # The
database name
116
‘database’ => ‘phpbb3’,
117 # The
database table
118
‘table’ => ‘phpbbusers’,
119 # The
user to connect to the database as
120 ‘user’
=> ‘phpbb3’,
121 # The
password to use to connect with
122 ‘pass’
=> '
’,
123 # The
port to use to connect with (e.g. 3306)
124 ‘port’
=> ‘3306’,
125 # The
name of the Perl DBI driver to use (e.g. mysql)
126
‘dbi_driver’ => ‘mysql’,
127 # The
field in the table that holds usernames
128
‘u_field’ => ‘username’,
129 # The
field in the table that holds passwords
130
‘p_field’ => ‘user_password’,
131 # The
Perl package & subroutine used to encrypt passwords
132 # e.g.
if the passwords are stored using the MySQL v3.23 “PASSWORD”
133 #
function, then you will need Crypt::MySQL::password, but for the
134 #
MySQL4+ password function you will need Crypt::MySQL::password41
135 #
Alternatively, you could use Digest::MD5::md5_hex or any other
136 #
encryption subroutine you can load in your perl installation
137
‘p_enc_pkg’ => ‘Authen::Passphrase::PHPass’,
138
‘p_enc_sub’ => ‘cost’,
139
#‘p_enc_pkg’ => ‘Crypt::MySQL’,
140
#‘p_enc_sub’ => ‘password41’,
141 # If
your p_enc_sub takes a salt as a second parameter,
142 #
uncomment this line to add your salt
143
#‘p_salt’ => ‘SALT’,
144
145 #
146 # The
field and values in the table that determines if a user should
147 # be
disabled. For example, if the field is ‘user_status’ and the values
148 # are
[‘0’,‘1’,‘2’,‘disabled’] then the user will be disabled if their
149 #
user_status is set to ‘0’,‘1’,‘2’ or the string ‘disabled’.
150 #
Otherwise, they will be considered enabled.
151
‘d_field’ => ‘disabled’,
152
‘d_values’ => [‘0’],
153 ## RT
ATTRIBUTE MATCHING SECTION
154 # The
list of RT attributes that uniquely identify a user
155
‘attr_match_list’ => [ ‘Gecos’,
156
‘Name’
157
],
158 # The
mapping of RT attributes on to field names
159
‘attr_map’ => { ‘Name’ => ‘username’,
160
‘EmailAddress’ => ‘user_email’,
161
‘ExternalAuthId’ => ‘username’,
162
‘Gecos’ => ‘user_id’
163
}
164 },

Best
Adrian2011/11/15 Zefram zefram@fysh.org:

Adrian Stel wrote:

Can’t use string (“user password”) as a HASH ref while “strict refs”
in use at /usr/local/share/perl/5.10.1/Authen/Passphrase/PHPass.pm
line 278.

What exactly are you doing that triggers this error? Please show the code
you’re running. You’re almost certainly using A:P:PHPass incorrectly;
the error looks as though you applied an A:P:PHPass method to a string
instead of to an A:P:PHPass object.

-zefram

Pozdrawiam
Adrian Stelmaszyk

Hi,

perhaps this is stupid question but I’m not sure where I should put
this wrapper function ;/

I found in /usr/local/share/perl/5.10.1/Authen/Passphrase/PHPass.pm

This is the right place ?

=head1 SYNOPSIS

   use Authen::Passphrase::PHPass;

   $ppr = Authen::Passphrase::PHPass->new(
           cost => 10, salt => "NaClNaCl",
           hash_base64 => "ObRxTm/.EiiYN02xUeAQs/");

   $ppr = Authen::Passphrase::PHPass->new(
           cost => 10, salt_random => 1,
           passphrase => "passphrase");

   $ppr = Authen::Passphrase::PHPass->from_crypt(
           '$P$8NaClNaClObRxTm/.EiiYN02xUeAQs/');

   $ppr = Authen::Passphrase::PHPass->from_rfc2307(
           '{CRYPT}$P$8NaClNaClObRxTm/.EiiYN02xUeAQs/');

   $cost = $ppr->cost;
   $cost_base64 = $ppr->cost_base64;
   $cost = $ppr->nrounds_log2;
   $cost_base64 = $ppr->nrounds_log2_base64;
   $salt = $ppr->salt;
   $hash = $ppr->hash;
   $hash_base64 = $ppr->hash_base64;

   if($ppr->match($passphrase)) { ...

   $passwd = $ppr->as_crypt;
   $userPassword = $ppr->as_rfc2307;

=head1 DESCRIPTION

Best
Adrian

Adrian Stel wrote:

‘p_enc_pkg’ => ‘Authen::Passphrase::PHPass’,
‘p_enc_sub’ => ‘cost’,

The comment above, the example below, and a bit of googling all show that
p_enc_pkg and p_enc_sub are together meant to name a hash function.
Your password string will be passed through the function, and the
resulting hash value is then managed by RT. The clearest example:

#‘p_enc_pkg’ => ‘Crypt::MySQL’,
#‘p_enc_sub’ => ‘password41’,

Crypt::MySQL::password41() is a function to which you pass a password
string and it returns a hash. For example, password41(“hunter2”) returns
"*58815970BE77B3720276F63DB198B1FA42E5CC02".

Authen::Passphrase::PHPass::cost is not a hashing function. It’s
not meant to be called as a standalone function at all. It’s the
implementation of the ->cost method on the Authen::Passphrase::PHPass
class, and so expects to be passed an A:P:PHPass object, not a string.
A:P:PHPass doesn’t actually expose the hash function on its own, so you
can’t use it this way.

In fact, the PHPass hash algorithm can’t be properly used by RT,
because it takes a salt input, and apparently RT can’t perform salting.
(There’s a p_salt parameter, which appears to be a fixed salt, defeating
the purpose.)

You could write a wrapper function around A:P:PHPass that creates a
recogniser for a supplied password and then just extracts the hash.
The wrapper would have to fix the cost parameter and the salt. It looks
like this:

   use Authen::Passphrase::PHPass ();
   sub phpass_10_aaaaaaaa($) {
           return Authen::Passphrase::PHPass->new(
                   cost=>10,
                   passphrase=>$_[0],
                   salt=>"aaaaaaaa",
           )->hash_base64;
   }

phpass_10_aaaaaaaa(“hunter2”) returns “LvYU3dRamxKB1.lRa4ow1/”. This
is a hash function and could be used by RT via p_enc_pkg and p_enc_sub.

It’s a bit of an abstraction inversion to use A:P:PHPass just for
its hash function. If A:P:PHPass were wrapping some other module
that just provides the hash then I’d point you at the other module.
Most A:P modules do this, such as A:P:MySQL323 wrapping Crypt::MySQL.
But A:P:PHPass implements the hash itself. Also, if there were a module
exposing the PHPass algorithm on its own, you’d still have to write a
wrapper, because of the cost parameter that RT has no idea how to handle.

-zefram


Pozdrawiam
Adrian Stelmaszyk

Pozdrawiam
Adrian Stelmaszyk