[rt-devel] User passwords not working after vulnerable-passwords script
falcone at bestpractical.com
Fri Oct 5 11:01:41 EDT 2012
On Fri, Oct 05, 2012 at 01:10:06PM +0200, Henti Smith wrote:
> I'm busy doing a POC for an upgrade from 3.8.4 to 4.0.7. I've done
> this in two stages. From 3.8.4 to 3.8.14 and then from 3.8.14 to
Why are you upgrading this way, rather than just upgrading to 4.0.7 as
You might find the blog post I wrote a while back about upgrading
Also, when debugging issues like this, please include your RT logs,
with the loglevel turned up to debug.
> during the 3.8.4 to 3.8.14 upgrade one of the steps recommended in
> UPGRADING-3.8 was :
> UPGRADING FROM 3.8.8 and earlier - Changes:
> Previous versions of RT used a password hashing scheme which was too
> easy to reverse, which could allow attackers with read access to the RT
> database to possibly compromise users' passwords. Even if RT does no
> password authentication itself, it may still store these weak password
> hashes -- using ExternalAuth does not guarantee that you are not
> vulnerable! To upgrade stored passwords to a stronger hash, run:
> perl etc/upgrade/vulnerable-passwords
> Once this was done, I continued the upgrade from 3.8.14 to 4.0.7.
> Now with the upgrade complete users cannot log in to RT and a reset of
> passwords is required.
> From what I can see the following happens.
> I setup a test user with password "password"
> The password hash in version 3.8.4 is "5f4dcc3b5aa765d61d8327deb882cf99"
> After upgrading to 3.8.14 I ran "perl vulnerable-passwords --fix" as
> part of the UPGRADING-3.8 process. The hash is was updated to
> I then upgraded from 3.8.14 to 4.0.7. when I attempt to log in, the
> login failed with "Your username or password is incorrect"
> If I go into the database and set the password has to
> "5f4dcc3b5aa765d61d8327deb882cf99" again and attempt to log in without
> running "vulnerable-passwords" the hash is updated to
> I think there might be a intermediate step I'm missing. Was I supposed
> to log into RT after the 3.8.4 upgrade to update the hash before
> upgrading from 3.8.14 to 4.0.7 ?
> Can anybody assist in identifying where I'm going to wrong ?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 195 bytes
Desc: not available
More information about the rt-devel