[rt-users] PHPass and Request Tracker
Adrian Stel
adisan82 at gmail.com
Wed Nov 16 05:47:30 EST 2011
2011/11/16 Adrian Stel <adisan82 at gmail.com>:
> Hi,
>
>
> perhaps this is stupid question but I'm not sure where I should put
> this wrapper function ;/
>
>
> I found in /usr/local/share/perl/5.10.1/Authen/Passphrase/PHPass.pm
>
>
> This is the right place ?
>
> =head1 SYNOPSIS
>
> use Authen::Passphrase::PHPass;
>
> $ppr = Authen::Passphrase::PHPass->new(
> cost => 10, salt => "NaClNaCl",
> hash_base64 => "ObRxTm/.EiiYN02xUeAQs/");
>
> $ppr = Authen::Passphrase::PHPass->new(
> cost => 10, salt_random => 1,
> passphrase => "passphrase");
>
> $ppr = Authen::Passphrase::PHPass->from_crypt(
> '$P$8NaClNaClObRxTm/.EiiYN02xUeAQs/');
>
> $ppr = Authen::Passphrase::PHPass->from_rfc2307(
> '{CRYPT}$P$8NaClNaClObRxTm/.EiiYN02xUeAQs/');
>
> $cost = $ppr->cost;
> $cost_base64 = $ppr->cost_base64;
> $cost = $ppr->nrounds_log2;
> $cost_base64 = $ppr->nrounds_log2_base64;
> $salt = $ppr->salt;
> $hash = $ppr->hash;
> $hash_base64 = $ppr->hash_base64;
>
> if($ppr->match($passphrase)) { ...
>
> $passwd = $ppr->as_crypt;
> $userPassword = $ppr->as_rfc2307;
>
> =head1 DESCRIPTION
>
>
> Best
> Adrian
>
> 2011/11/16 Zefram <zefram at fysh.org>:
>> Adrian Stel wrote:
>>>'p_enc_pkg' => 'Authen::Passphrase::PHPass',
>>>'p_enc_sub' => 'cost',
>>
>> The comment above, the example below, and a bit of googling all show that
>> p_enc_pkg and p_enc_sub are together meant to name a hash function.
>> Your password string will be passed through the function, and the
>> resulting hash value is then managed by RT. The clearest example:
>>
>>>#'p_enc_pkg' => 'Crypt::MySQL',
>>>#'p_enc_sub' => 'password41',
>>
>> Crypt::MySQL::password41() is a function to which you pass a password
>> string and it returns a hash. For example, password41("hunter2") returns
>> "*58815970BE77B3720276F63DB198B1FA42E5CC02".
>>
>> Authen::Passphrase::PHPass::cost is not a hashing function. It's
>> not meant to be called as a standalone function at all. It's the
>> implementation of the ->cost method on the Authen::Passphrase::PHPass
>> class, and so expects to be passed an A:P:PHPass object, not a string.
>> A:P:PHPass doesn't actually expose the hash function on its own, so you
>> can't use it this way.
>>
>> In fact, the PHPass hash algorithm *can't* be properly used by RT,
>> because it takes a salt input, and apparently RT can't perform salting.
>> (There's a p_salt parameter, which appears to be a *fixed* salt, defeating
>> the purpose.)
>>
>> You could write a wrapper function around A:P:PHPass that creates a
>> recogniser for a supplied password and then just extracts the hash.
>> The wrapper would have to fix the cost parameter and the salt. It looks
>> like this:
>>
>> use Authen::Passphrase::PHPass ();
>> sub phpass_10_aaaaaaaa($) {
>> return Authen::Passphrase::PHPass->new(
>> cost=>10,
>> passphrase=>$_[0],
>> salt=>"aaaaaaaa",
>> )->hash_base64;
>> }
>>
>> phpass_10_aaaaaaaa("hunter2") returns "LvYU3dRamxKB1.lRa4ow1/". *This*
>> is a hash function and could be used by RT via p_enc_pkg and p_enc_sub.
>>
>> It's a bit of an abstraction inversion to use A:P:PHPass just for
>> its hash function. If A:P:PHPass were wrapping some other module
>> that just provides the hash then I'd point you at the other module.
>> Most A:P modules do this, such as A:P:MySQL323 wrapping Crypt::MySQL.
>> But A:P:PHPass implements the hash itself. Also, if there were a module
>> exposing the PHPass algorithm on its own, you'd still have to write a
>> wrapper, because of the cost parameter that RT has no idea how to handle.
>>
>> -zefram
>>
>
>
>
> --
> Pozdrawiam
> Adrian Stelmaszyk
>
--
Pozdrawiam
Adrian Stelmaszyk
More information about the rt-users
mailing list