[rt-devel] User passwords not working after vulnerable-passwords script

Henti Smith henti at geekware.co.za
Fri Oct 5 07:10:06 EDT 2012


Good day.

I'm busy doing a POC for an upgrade from 3.8.4 to 4.0.7. I've done
this in two stages. From 3.8.4 to 3.8.14 and then from 3.8.14 to
4.0.7.

during the 3.8.4 to 3.8.14 upgrade one of the steps recommended in
UPGRADING-3.8 was :

UPGRADING FROM 3.8.8 and earlier - Changes:

Previous versions of RT used a password hashing scheme which was too
easy to reverse, which could allow attackers with read access to the RT
database to possibly compromise users' passwords.  Even if RT does no
password authentication itself, it may still store these weak password
hashes -- using ExternalAuth does not guarantee that you are not
vulnerable!  To upgrade stored passwords to a stronger hash, run:

    perl etc/upgrade/vulnerable-passwords

Once this was done, I continued the upgrade from 3.8.14 to 4.0.7.

Now with the upgrade complete users cannot log in to RT and a reset of
passwords is required.

>From what I can see the following happens.

I setup a test user with password "password"

The password hash in version 3.8.4 is "5f4dcc3b5aa765d61d8327deb882cf99"

After upgrading to 3.8.14 I ran "perl vulnerable-passwords --fix" as
part of the UPGRADING-3.8 process. The hash is was updated to
"vrNwQBRT8po3vRIynSzBv/WFu7L9eTlgR+Q+kT0W"

I then upgraded from 3.8.14 to 4.0.7. when I attempt to log in, the
login failed with "Your username or password is incorrect"

If I go into the database and set the password has to
"5f4dcc3b5aa765d61d8327deb882cf99" again and attempt to log in without
running "vulnerable-passwords" the hash is updated to

"sha512!Gox1IONnOaZJR6ke!fjo4C+IgBK31K/AD1Zx6wP639v1dc1RSji8jRDC153Nc9OScGD8yZ8aducT8wWTPEdMf5pnNccTMAe3ikb6OFw"

I think there might be a intermediate step I'm missing. Was I supposed
to log into RT after the 3.8.4 upgrade to update the hash before
upgrading from 3.8.14 to 4.0.7 ?
Can anybody assist in identifying where I'm going to wrong ?

Regards
Henti


More information about the rt-devel mailing list