Support for Redmine password hash

  • Resolved jamasi

    (@jamasi)


    4 years, 7 months ago

    Hi,
    I’m in the process of trying to get your very nice plugin set-up.

    I’m trying to have it authenticate against a Redmine DB and created some custom views to present the data in a more “natural” way to your plugin.
    Now I’m stuck on the hash. Redmine is using salted sha1 hashes but is using this form:

    Hash_row = SHA1( salt + SHA1( password ) )

    So you compute SHA1 for your password, then concatenate it with salt, stored in the salt row, then calculate SHA1 again for the whole concatenated string.

    I don’t think there’s an option for this, yet, but I guess it should be pretty easy to also support it.

    Thanks for looking into this.

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author tbenyon

    (@tbenyon)

    Hey @jamasi,

    Apologies for the delayed response. Yes it can but just requires the use of a filter your end.

    If you go to the FAQ and look at the exlog_hook_filter_authenticate_hash hook there’s some instruction in there about how to write your custom hashing algorithm.

    I have not tested this code but yours would look something like this:

    
function myExlogHashAuthenticator($password, $hashFromDatabase, $username, $externalUserData) {
    // If getting the salt this way does not work you could hard code the salt here if it is safe to do so in your implementation
    $salt = exlog_get_option("external_login_option_db_salt");

    $calculatedHashStep1 = hash('sha1', $password);
    $calculatedHashStep2 = hash('sha1', $salt . $calculatedHashStep1);
    
    return $hashFromDatabase == $calculatedHashStep2;
}
add_filter('exlog_hook_filter_authenticate_hash', 'myExlogHashAuthenticator', 10, 4);

    I’ve purposely written this out in a slightly longer format to make it easier to read.

    Let me know how you get on ??

    Thread Starter jamasi

    (@jamasi)

    Hi @tbenyon,

    Thank you for your reply. In the meantime I also fond this hook, but for someone who is not into wordpress code that much the documentation could be a little more verbose.

    I think your code will not work, as the salt is coming from another column of the DB table and thus it is per user. I suppose $externalUserData might have a reference to this, but info on how one could access it would be something I’d really like to find in the docs for this hook.

    Also info on where to put his hook would be needed as putting custom code into the functions.php of the theme seems to be discouraged in general.

    All of this might seem pretty obvious for someone who has been developing wordpress plugins for some time, but for a mere user/admin of a wordpress site it’s quite some digging through the complexity monster of php code that wordpress is.

    Thread Starter jamasi

    (@jamasi)

    After digging into the source of wordpress, I suppose,

    function myExlogHashAuthenticator($password, $hashFromDatabase, $username, $externalUserData) {
	$user_specific_salt = $externalUserData[$db_data["dbstructure_salt"]];
	$algorithm = 'sha1';
	$innerHash = hash($algorithm, $password);
	$hashCalc = hash($algorithm, $user_specific_salt . $innerHash);

    return password_verify($hashCalc, $hashFromDatabase);
}
add_filter('exlog_hook_filter_authenticate_hash', 'myExlogHashAuthenticator', 10, 4);

    should work. Still I wonder what settings to use in the configuration page to activate it.

    Thread Starter jamasi

    (@jamasi)

    Sorry to be a nuisance, but how can I debug if the hook is installed? So far I get correct looking data from the connection test, but I cannot login with any user.

    Plugin Author tbenyon

    (@tbenyon)

    Hey @jamasi,

    for someone who is not into wordpress code that much the documentation could be a little more verbose.

    You’re right that the documentation is aimed at people who already know and use WordPress. It’s always a balance of getting the right level of detail but I will take on your feedback.

    Also info on where to put his hook would be needed as putting custom code into the functions.php of the theme seems to be discouraged in general.

    Functions.php is an ok place to put code. Unless you want to learn more WordPress I would encourage it. If you want to Google it, my personal belief is that best practice in most situations like this would be to create a custom plugin and add this to the mu-plugins directory so that it is code that does not need to be activated (and can’t be deactivated) in the admin area. How far you want to go in your learning is your call.

    I appreciate this is daunting but how these things work is not in the scope of this plugin. There are many forums and guides out there to teach these basics. Alternatively, there are plenty of developers who would happily take on the paid work if you need support beyond what the plugin is doing.

    I think your code will not work, as the salt is coming from another column of the DB table and thus it is per user.

    As I think you later realised I added a line that should do what you want to achieve.
    $user_specific_salt = $externalUserData[$db_data["dbstructure_salt"]];
    Make sure however you you set the field mapping in the External Login settings for the salt field.

    After digging into the source of wordpress, I suppose, [your code]
    should work. Still I wonder what settings to use in the configuration page to activate it.

    Any code you put in functions.php will run with every request to the site, including when someone tries to login and the plugin is used.

    Sorry to be a nuisance, but how can I debug if the hook is installed? So far I get correct looking data from the connection test, but I cannot login with any user.

    You can add error_logs in php to output data. The tricky thing is finding exactly where they will output to on your setup. You will have to investigate this yourself as there are so many variables that will be factor.

    To help make sure you have some logs showing I would recommend adding the following lines to the top of your functions.php file. If you can see these logs, you can then start adding similar lines elsewhere to check values and see if the code reached certain points:

    
error_log(var_export('EXLOG START!!!!', true));
$someTestData = 'quick test';
error_log(var_export($someTestData, true));
error_log(var_export('EXLOG END!!!!', true));

    I would expect to see the following three outputs in your PHP error logs:

    
EXLOG START!!!!
quick test
EXLOG END!!!!

    I hope all of this helps,

    Tom

    Plugin Author tbenyon

    (@tbenyon)

    Hey @vynnus,

    Haven’t heard back from you for a while so I’m going to assume this is resolved.

    If not, don’t hesitate to get back in contact and we’ll see what we can do ??

    Thanks,

    Tom ??

    Thread Starter jamasi

    (@jamasi)

    Thanks to your help I got it working.

    In case sb. else is looking for the correct hook:

    function myExlogHashAuthenticator($password, $hashFromDatabase, $username, $externalUserData) {
  // $salt = exlog_get_option("external_login_option_db_salt");
  $salt = $externalUserData[$db_data["salt"]];

  $algorithm = 'sha1';
  $calc1 = hash($algorithm, $password);
  $calc2 = hash($algorithm, $salt . $calc1);
    
  return $hashFromDatabase = $calc2;
}
add_filter('exlog_hook_filter_authenticate_hash', 'myExlogHashAuthenticator', 10, 4);
    Plugin Author tbenyon

    (@tbenyon)

    Hey @jamasi,

    Great job on getting it sorted!!! ??

    Also very much appreciate you sharing your solution for the next developer who comes along ??

    If you get a minute, I’d be grateful if you could write a review or even buy me a beer.

    Thanks again,

    Tom ??

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Support for Redmine password hash’ is closed to new replies.

Tags