[rt-users] RT::Authen::ExternalAuth with PHPass (phpbb3);
Adrian Stel
adisan82 at gmail.com
Wed Nov 16 07:27:06 EST 2011
Hi,
I get some info from PHPass but I don't know how use it ;/ any
sugestion from your site ?
>'p_enc_pkg' => 'Authen::Passphrase::PHPass',
>'p_enc_sub' => 'cost',
The comment above, the example below, and a bit of googling all show that
p_enc_pkg and p_enc_sub are together meant to name a hash function.
Your password string will be passed through the function, and the
resulting hash value is then managed by RT. The clearest example:
>#'p_enc_pkg' => 'Crypt::MySQL',
>#'p_enc_sub' => 'password41',
Crypt::MySQL::password41() is a function to which you pass a password
string and it returns a hash. For example, password41("hunter2") returns
"*58815970BE77B3720276F63DB198B1FA42E5CC02".
Authen::Passphrase::PHPass::cost is not a hashing function. It's
not meant to be called as a standalone function at all. It's the
implementation of the ->cost method on the Authen::Passphrase::PHPass
class, and so expects to be passed an A:P:PHPass object, not a string.
A:P:PHPass doesn't actually expose the hash function on its own, so you
can't use it this way.
In fact, the PHPass hash algorithm *can't* be properly used by RT,
because it takes a salt input, and apparently RT can't perform salting.
(There's a p_salt parameter, which appears to be a *fixed* salt, defeating
the purpose.)
You could write a wrapper function around A:P:PHPass that creates a
recogniser for a supplied password and then just extracts the hash.
The wrapper would have to fix the cost parameter and the salt. It looks
like this:
use Authen::Passphrase::PHPass ();
sub phpass_10_aaaaaaaa($) {
return Authen::Passphrase::PHPass->new(
cost=>10,
passphrase=>$_[0],
salt=>"aaaaaaaa",
)->hash_base64;
}
phpass_10_aaaaaaaa("hunter2") returns "LvYU3dRamxKB1.lRa4ow1/". *This*
is a hash function and could be used by RT via p_enc_pkg and p_enc_sub.
It's a bit of an abstraction inversion to use A:P:PHPass just for
its hash function. If A:P:PHPass were wrapping some other module
that just provides the hash then I'd point you at the other module.
Most A:P modules do this, such as A:P:MySQL323 wrapping Crypt::MySQL.
But A:P:PHPass implements the hash itself. Also, if there were a module
exposing the PHPass algorithm on its own, you'd still have to write a
wrapper, because of the cost parameter that RT has no idea how to handle.
2011/11/16 Adrian Stel <adisan82 at gmail.com>:
> Hi,
>
>
> DBI.pm
> this is the place with p_enc_sub:
>
>
> sub GetAuth {
>
> my ($service, $username, $password) = @_;
>
> my $config = $RT::ExternalSettings->{$service};
> $RT::Logger->debug( "Trying external auth service:",$service);
>
> my $db_table = $config->{'table'};
> my $db_u_field = $config->{'u_field'};
> my $db_p_field = $config->{'p_field'};
> my $db_p_enc_pkg = $config->{'p_enc_pkg'};
> my $db_p_enc_sub = $config->{'p_enc_sub'};
> my $db_p_salt = $config->{'p_salt'};
>
>
>
> Place where the password is submitted to that method as a string parameter.
>
> In my opinion could be here:
>
> # Get the user's password from the database query result
> my $pass_from_db = $results_hashref->{$username}->{$db_p_field};
>
> # This is the encryption package & subroutine passed in by the config file
> $RT::Logger->debug( "Encryption Package:",
> $db_p_enc_pkg);
> $RT::Logger->debug( "Encryption Subroutine:",
> $db_p_enc_sub);
>
> # Use config info to auto-load the perl package needed for
> password encryption
> # I know it uses a string eval - but I don't think there's a
> better way to do this
> # Jump to next external authentication service on failure
> eval "require $db_p_enc_pkg" or
> $RT::Logger->error("AUTH FAILED, Couldn't Load Password
> Encryption Package. Error: $@") && return 0;
>
> my $encrypt = $db_p_enc_pkg->can($db_p_enc_sub);
> if (defined($encrypt)) {
> # If the package given can perform the subroutine given, then
> use it to compare the
> # password given with the password pulled from the database.
> # Jump to the next external authentication service if they don't match
> if(defined($db_p_salt)) {
> $RT::Logger->debug("Using salt:",$db_p_salt);
> if(${encrypt}->($password,$db_p_salt) ne $pass_from_db){
> $RT::Logger->info( $service,
> "AUTH FAILED",
> $username,
> "Password Incorrect");
> return 0;
> }
> } else {
> if(${encrypt}->($password) ne $pass_from_db){
> $RT::Logger->info( $service,
> "AUTH FAILED",
> $username,
> "Password Incorrect");
> return 0;
> }
> }
> } else {
> # If the encryption package can't perform the request subroutine,
> # dump an error and jump to the next external authentication service.
> $RT::Logger->error($service,
> "AUTH FAILED",
> "The encryption package you gave me (",
> $db_p_enc_pkg,
> ") does not support the encryption method
> you specified (",
> $db_p_enc_sub,
> ")");
> return 0;
> }
>
>
> But i'm not shure where exactly. And how I can convert string to hash.
>
> I'm not familiar with perl ;/
>
>
>
> Best
> Adrian
>
> 2011/11/15 Zordrak <zordrak at tpa.me.uk>:
>> Adrian Stel wrote:
>>> Hi,
>>>
>>>
>>> Can't use string ("user password") as a HASH ref while "strict refs"
>>> in use at /usr/local/share/perl/5.10.1/Authen/Passphrase/PHPass.pm
>>> line 278.
>>>
>>> Problem is with type of user password.
>>>
>>> Still need to know where I should search.
>>
>> Search for the text "p_enc_sub". There's only one place it should be
>> defined and it will be very close to where the password is submitted to
>> that method as a string parameter.
>> --
>> Zordrak
>> zordrak at tpa.me.uk
>>
>>
>
>
>
> --
> Pozdrawiam
> Adrian Stelmaszyk
>
--
Pozdrawiam
Adrian Stelmaszyk
More information about the rt-users
mailing list