[rt-users] RT::Authen::ExternalAuth with PHPass (phpbb3);

Adrian Stel adisan82 at gmail.com
Wed Nov 16 04:09:44 EST 2011


Hi,


DBI.pm
 this is the place with p_enc_sub:


sub GetAuth {

    my ($service, $username, $password) = @_;

    my $config = $RT::ExternalSettings->{$service};
    $RT::Logger->debug( "Trying external auth service:",$service);

    my $db_table        = $config->{'table'};
    my $db_u_field      = $config->{'u_field'};
    my $db_p_field          = $config->{'p_field'};
    my $db_p_enc_pkg    = $config->{'p_enc_pkg'};
    my $db_p_enc_sub    = $config->{'p_enc_sub'};
    my $db_p_salt       = $config->{'p_salt'};



Place where the password is submitted to that method as a string parameter.

In my opinion could be here:

  # Get the user's password from the database query result
    my $pass_from_db = $results_hashref->{$username}->{$db_p_field};

    # This is the encryption package & subroutine passed in by the config file
    $RT::Logger->debug( "Encryption Package:",
                        $db_p_enc_pkg);
    $RT::Logger->debug( "Encryption Subroutine:",
                        $db_p_enc_sub);

    # Use config info to auto-load the perl package needed for
password encryption
    # I know it uses a string eval - but I don't think there's a
better way to do this
    # Jump to next external authentication service on failure
    eval "require $db_p_enc_pkg" or
        $RT::Logger->error("AUTH FAILED, Couldn't Load Password
Encryption Package. Error: $@") && return 0;

    my $encrypt = $db_p_enc_pkg->can($db_p_enc_sub);
    if (defined($encrypt)) {
        # If the package given can perform the subroutine given, then
use it to compare the
        # password given with the password pulled from the database.
        # Jump to the next external authentication service if they don't match
        if(defined($db_p_salt)) {
            $RT::Logger->debug("Using salt:",$db_p_salt);
            if(${encrypt}->($password,$db_p_salt) ne $pass_from_db){
                $RT::Logger->info(  $service,
                                    "AUTH FAILED",
                                    $username,
                                    "Password Incorrect");
                return 0;
            }
        } else {
            if(${encrypt}->($password) ne $pass_from_db){
                $RT::Logger->info(  $service,
                                    "AUTH FAILED",
                                    $username,
                                    "Password Incorrect");
                return 0;
            }
        }
    } else {
        # If the encryption package can't perform the request subroutine,
        # dump an error and jump to the next external authentication service.
        $RT::Logger->error($service,
                            "AUTH FAILED",
                            "The encryption package you gave me (",
                            $db_p_enc_pkg,
                            ") does not support the encryption method
you specified (",
                            $db_p_enc_sub,
                            ")");
    return 0;
    }


But i'm not shure where exactly. And how I can convert string to hash.

I'm not familiar with perl ;/



Best
Adrian

2011/11/15 Zordrak <zordrak at tpa.me.uk>:
> Adrian Stel wrote:
>> Hi,
>>
>>
>> Can't use string ("user password") as a HASH ref while "strict refs"
>> in use at /usr/local/share/perl/5.10.1/Authen/Passphrase/PHPass.pm
>> line 278.
>>
>> Problem is with type of user password.
>>
>> Still need to know where I should search.
>
> Search for the text "p_enc_sub". There's only one place it should be
> defined and it will be very close to where the password is submitted to
> that method as a string parameter.
> --
> Zordrak
> zordrak at tpa.me.uk
>
>



-- 
Pozdrawiam
Adrian Stelmaszyk



More information about the rt-users mailing list