[rt-users] Password Encryption Used By RT

Rick Bradley rt-users at rickbradley.com
Fri Nov 8 14:05:44 EST 2002


* John Gedeon (jgedeon at qualcomm.com) [021108 11:56]:
> Rick
> if our passwords used md5 (i am not sure if they do) would it be possible 
> to hack rt to use the same thing or is there no md5 function for perl?
> John

Certainly (or see about using external auth as suggested by another
poster).  Look at Digest::MD5, and/or Crypt::PasswdMD5.  IIRC correctly
the encrypted md5 passwords are stored in base64 format with "$1$salt$"
prepended.  A search on "md5 salt perl" should turn up some useful
information as well.

I see this, which looks like it's on the right track:

http://nntp.x.perl.org/group/perl.crypto/45

Essentially you need to generate the correct format for storing the
encrypted md5 password, and then, on lookup during authentication use
the right encryption (md5 vs. des) based on the format of the stored
password.

I haven't needed to do the full trick in Perl, but a friend [0] and I
did it in PHP for some projects and donated a version to PHPAuth [1] if
you want a free working example.  There are probably more concise
examples, and definitely some in Perl, available to the diligent Google
surfer.

[0] http://www.michaelchaney.com/
[1] http://www.phpauth.com/

Rick
-- 
 http://www.rickbradley.com    MUPRN: 950    (65F/65F)
                       |  I've used the system
   random email haiku  |  at all hours...), I don't see
                       |  how that could be true.



More information about the rt-users mailing list