[rt-devel] User passwords not working after vulnerable-passwords script

Kevin Falcone falcone at bestpractical.com
Fri Oct 5 11:01:41 EDT 2012

On Fri, Oct 05, 2012 at 01:10:06PM +0200, Henti Smith wrote:
> I'm busy doing a POC for an upgrade from 3.8.4 to 4.0.7. I've done
> this in two stages. From 3.8.4 to 3.8.14 and then from 3.8.14 to
> 4.0.7.

Why are you upgrading this way, rather than just upgrading to 4.0.7 as

You might find the blog post I wrote a while back about upgrading

Also, when debugging issues like this, please include your RT logs,
with the loglevel turned up to debug.


> during the 3.8.4 to 3.8.14 upgrade one of the steps recommended in
> UPGRADING-3.8 was :
> UPGRADING FROM 3.8.8 and earlier - Changes:
> Previous versions of RT used a password hashing scheme which was too
> easy to reverse, which could allow attackers with read access to the RT
> database to possibly compromise users' passwords.  Even if RT does no
> password authentication itself, it may still store these weak password
> hashes -- using ExternalAuth does not guarantee that you are not
> vulnerable!  To upgrade stored passwords to a stronger hash, run:
>     perl etc/upgrade/vulnerable-passwords
> Once this was done, I continued the upgrade from 3.8.14 to 4.0.7.
> Now with the upgrade complete users cannot log in to RT and a reset of
> passwords is required.
> From what I can see the following happens.
> I setup a test user with password "password"
> The password hash in version 3.8.4 is "5f4dcc3b5aa765d61d8327deb882cf99"
> After upgrading to 3.8.14 I ran "perl vulnerable-passwords --fix" as
> part of the UPGRADING-3.8 process. The hash is was updated to
> "vrNwQBRT8po3vRIynSzBv/WFu7L9eTlgR+Q+kT0W"
> I then upgraded from 3.8.14 to 4.0.7. when I attempt to log in, the
> login failed with "Your username or password is incorrect"
> If I go into the database and set the password has to
> "5f4dcc3b5aa765d61d8327deb882cf99" again and attempt to log in without
> running "vulnerable-passwords" the hash is updated to
> "sha512!Gox1IONnOaZJR6ke!fjo4C+IgBK31K/AD1Zx6wP639v1dc1RSji8jRDC153Nc9OScGD8yZ8aducT8wWTPEdMf5pnNccTMAe3ikb6OFw"
> I think there might be a intermediate step I'm missing. Was I supposed
> to log into RT after the 3.8.4 upgrade to update the hash before
> upgrading from 3.8.14 to 4.0.7 ?
> Can anybody assist in identifying where I'm going to wrong ?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-devel/attachments/20121005/22b0f310/attachment.pgp>

More information about the rt-devel mailing list