[rt-users] RT::Authen::ExternalAuth with PHPass (phpbb3);

Adrian Stel adisan82 at gmail.com
Wed Nov 16 07:27:06 EST 2011


Hi,


I get some info from PHPass but I don't know how use it ;/ any
sugestion from your site ?


>'p_enc_pkg'                 =>  'Authen::Passphrase::PHPass',
>'p_enc_sub'                 =>  'cost',

The comment above, the example below, and a bit of googling all show that
p_enc_pkg and p_enc_sub are together meant to name a hash function.
Your password string will be passed through the function, and the
resulting hash value is then managed by RT.  The clearest example:

>#'p_enc_pkg'                 =>  'Crypt::MySQL',
>#'p_enc_sub'                 =>  'password41',

Crypt::MySQL::password41() is a function to which you pass a password
string and it returns a hash.  For example, password41("hunter2") returns
"*58815970BE77B3720276F63DB198B1FA42E5CC02".

Authen::Passphrase::PHPass::cost is not a hashing function.  It's
not meant to be called as a standalone function at all.  It's the
implementation of the ->cost method on the Authen::Passphrase::PHPass
class, and so expects to be passed an A:P:PHPass object, not a string.
A:P:PHPass doesn't actually expose the hash function on its own, so you
can't use it this way.

In fact, the PHPass hash algorithm *can't* be properly used by RT,
because it takes a salt input, and apparently RT can't perform salting.
(There's a p_salt parameter, which appears to be a *fixed* salt, defeating
the purpose.)

You could write a wrapper function around A:P:PHPass that creates a
recogniser for a supplied password and then just extracts the hash.
The wrapper would have to fix the cost parameter and the salt.  It looks
like this:

       use Authen::Passphrase::PHPass ();
       sub phpass_10_aaaaaaaa($) {
               return Authen::Passphrase::PHPass->new(
                       cost=>10,
                       passphrase=>$_[0],
                       salt=>"aaaaaaaa",
               )->hash_base64;
       }

phpass_10_aaaaaaaa("hunter2") returns "LvYU3dRamxKB1.lRa4ow1/".  *This*
is a hash function and could be used by RT via p_enc_pkg and p_enc_sub.

It's a bit of an abstraction inversion to use A:P:PHPass just for
its hash function.  If A:P:PHPass were wrapping some other module
that just provides the hash then I'd point you at the other module.
Most A:P modules do this, such as A:P:MySQL323 wrapping Crypt::MySQL.
But A:P:PHPass implements the hash itself.  Also, if there were a module
exposing the PHPass algorithm on its own, you'd still have to write a
wrapper, because of the cost parameter that RT has no idea how to handle.



2011/11/16 Adrian Stel <adisan82 at gmail.com>:
> Hi,
>
>
> DBI.pm
>  this is the place with p_enc_sub:
>
>
> sub GetAuth {
>
>    my ($service, $username, $password) = @_;
>
>    my $config = $RT::ExternalSettings->{$service};
>    $RT::Logger->debug( "Trying external auth service:",$service);
>
>    my $db_table        = $config->{'table'};
>    my $db_u_field      = $config->{'u_field'};
>    my $db_p_field          = $config->{'p_field'};
>    my $db_p_enc_pkg    = $config->{'p_enc_pkg'};
>    my $db_p_enc_sub    = $config->{'p_enc_sub'};
>    my $db_p_salt       = $config->{'p_salt'};
>
>
>
> Place where the password is submitted to that method as a string parameter.
>
> In my opinion could be here:
>
>  # Get the user's password from the database query result
>    my $pass_from_db = $results_hashref->{$username}->{$db_p_field};
>
>    # This is the encryption package & subroutine passed in by the config file
>    $RT::Logger->debug( "Encryption Package:",
>                        $db_p_enc_pkg);
>    $RT::Logger->debug( "Encryption Subroutine:",
>                        $db_p_enc_sub);
>
>    # Use config info to auto-load the perl package needed for
> password encryption
>    # I know it uses a string eval - but I don't think there's a
> better way to do this
>    # Jump to next external authentication service on failure
>    eval "require $db_p_enc_pkg" or
>        $RT::Logger->error("AUTH FAILED, Couldn't Load Password
> Encryption Package. Error: $@") && return 0;
>
>    my $encrypt = $db_p_enc_pkg->can($db_p_enc_sub);
>    if (defined($encrypt)) {
>        # If the package given can perform the subroutine given, then
> use it to compare the
>        # password given with the password pulled from the database.
>        # Jump to the next external authentication service if they don't match
>        if(defined($db_p_salt)) {
>            $RT::Logger->debug("Using salt:",$db_p_salt);
>            if(${encrypt}->($password,$db_p_salt) ne $pass_from_db){
>                $RT::Logger->info(  $service,
>                                    "AUTH FAILED",
>                                    $username,
>                                    "Password Incorrect");
>                return 0;
>            }
>        } else {
>            if(${encrypt}->($password) ne $pass_from_db){
>                $RT::Logger->info(  $service,
>                                    "AUTH FAILED",
>                                    $username,
>                                    "Password Incorrect");
>                return 0;
>            }
>        }
>    } else {
>        # If the encryption package can't perform the request subroutine,
>        # dump an error and jump to the next external authentication service.
>        $RT::Logger->error($service,
>                            "AUTH FAILED",
>                            "The encryption package you gave me (",
>                            $db_p_enc_pkg,
>                            ") does not support the encryption method
> you specified (",
>                            $db_p_enc_sub,
>                            ")");
>    return 0;
>    }
>
>
> But i'm not shure where exactly. And how I can convert string to hash.
>
> I'm not familiar with perl ;/
>
>
>
> Best
> Adrian
>
> 2011/11/15 Zordrak <zordrak at tpa.me.uk>:
>> Adrian Stel wrote:
>>> Hi,
>>>
>>>
>>> Can't use string ("user password") as a HASH ref while "strict refs"
>>> in use at /usr/local/share/perl/5.10.1/Authen/Passphrase/PHPass.pm
>>> line 278.
>>>
>>> Problem is with type of user password.
>>>
>>> Still need to know where I should search.
>>
>> Search for the text "p_enc_sub". There's only one place it should be
>> defined and it will be very close to where the password is submitted to
>> that method as a string parameter.
>> --
>> Zordrak
>> zordrak at tpa.me.uk
>>
>>
>
>
>
> --
> Pozdrawiam
> Adrian Stelmaszyk
>



-- 
Pozdrawiam
Adrian Stelmaszyk



More information about the rt-users mailing list