RT3 encryption

Hi there,

How are the passwords stored in the database? It looks like an MD5 hash without a salt. We’re attempting to migrate from the internal auth to external authentication, but don’t want to go and ask the users for their passwords. I extracted the hashes from the Users table, but there is no salt. Is it stored somewhere else? Extrapolated based on certain criteria?

Can anyone offer some insight?

Regards,
Scott

How are the passwords stored in the database? It looks like an MD5
hash without a salt. We’re attempting to migrate from the internal

MD5 itself doesn’t use a salt.

And RT doesn’t add one.

RT::User_Overlay.pm …
my $md5 = Digest::MD5->new();
$md5->add($password);
return ($md5->b64digest);

-R

How are the passwords stored in the database? It looks like an MD5
hash without a salt. We’re attempting to migrate from the internal

MD5 itself doesn’t use a salt.

And RT doesn’t add one.

RT::User_Overlay.pm …
my $md5 = Digest::MD5->new();
$md5->add($password);
return ($md5->b64digest);

Right. Do you know if there’s a way for apache’s ‘htaccess’ mechanism to read a salt-less MD5 password? I haven’t been able to get this to work yet.

Scott

Right. Do you know if there’s a way for apache’s ‘htaccess’
mechanism to read a salt-less MD5 password? I haven’t been able to
get this to work yet.

I’m not sure it will.

Definitely what it writes, is incompatible:

The MD5 algorithm used by htpasswd is specific to the Apache
software; passwords encrypted using it will not be usable with
other Web servers.
http://httpd.apache.org/docs-2.0/programs/htpasswd.html

$ /home/perl/apache2/bin/htpasswd -bnm username password
username:$apr1$YPiUc/…$jJcpU6953ESwoLsnVpaQq.

Note the “type” of apr1.

Linux generates:
$1$MGw18b6V$GUmR55ftPBz0iWPkPAWUU1

Longer term, RT should switch to salting its MD5 hashes. Or maybe
some pepper. That’s probably a 3.2 thing.

Crypt::PasswdMD5 does both Linux/FreeBSD style MD5 and Apache
style… which leads to all sort of fun.

But sadly, this doesn’t help your immediate problem.

-R

Right. Do you know if there’s a way for apache’s ‘htaccess’
mechanism to read a salt-less MD5 password? I haven’t been able to
get this to work yet.

I’m not sure it will.

Definitely what it writes, is incompatible:

The MD5 algorithm used by htpasswd is specific to the Apache
software; passwords encrypted using it will not be usable with
other Web servers.

htpasswd - Manage user files for basic authentication - Apache HTTP Server

$ /home/perl/apache2/bin/htpasswd -bnm username password
username:$apr1$YPiUc/…$jJcpU6953ESwoLsnVpaQq.

Note the “type” of apr1.

Linux generates:
$1$MGw18b6V$GUmR55ftPBz0iWPkPAWUU1

Longer term, RT should switch to salting its MD5 hashes. Or maybe
some pepper. That’s probably a 3.2 thing.

Crypt::PasswdMD5 does both Linux/FreeBSD style MD5 and Apache
style… which leads to all sort of fun.

But sadly, this doesn’t help your immediate problem.

Thanks. This is more or less what I have been able to determine, but it’s good to know I’m not doing something horribly wrong.

Interestingly enough, I’ve been able to get Linux/FreeBSD-style MD5 hashes to work fine with Apache’s htaccess mechanism. Just have to force our users to go to a website and generate a password for them.

Scott

Maybe you could run crack on your existing hashes, and
then re-encode any successes with the apache style MD5 :slight_smile:

[I’m joking! If you take this seriously, be sure to get written permission from your boss, and ask Randal Schwartz for advice first.]

Another alternative might be to use ldap. Many ldap servers
(openldap for sure) can use MD5 with and without salt.
You could have apache consult ldap, and have RT set to use
$WebExternalAuth = 1. Of course, you need to run the
ldap server, but that could have other benefits
depending on your environment.

 bobg