Gossamer Forum
Home : Products : DBMan SQL : Discussion :

uploading user db with encrypted passwords

Quote Reply
uploading user db with encrypted passwords
I'm in the process of upgrading a flatfile database to DBMan SQL and I've run into a bit of a jam with the users.pass file. This file is similar to an .htpasswd file, with a little extra information for storing user permissions. The problem is that the passwords in this file are encrypted, and it appears that DBManSQL stores its passwords unencrypted. Does anyone have any suggestions on how I might decrypt the users.pass file for uploading purposes?

Fractured Atlas :: Liberate the Artist
Services: Healthcare, Fiscal Sponsorship, Marketing, Education, The Emerging Artists Fund
Quote Reply
Re: [hennagaijin] uploading user db with encrypted passwords In reply to
The encryption is designed in a way that it is not possible to generate the plaintext passwords from the encrypted passwords. You could try a dictionary attack. Wink

Jasper

http://www.bookings.org
Quote Reply
Re: [jaspercram] uploading user db with encrypted passwords In reply to
Yeah, that's what I figured. I think what I'll probably have to do is upload the encrypted versions to the users table, then hack Authenticate.pm so that it checks both the plaintext version of the password entered by the user AND an encrypted version to see if either matches the value in the users table.

Only problem is, I'm not sure how to do that. Blush Any suggestions?

Thanks for your help.

Fractured Atlas :: Liberate the Artist
Services: Healthcare, Fiscal Sponsorship, Marketing, Education, The Emerging Artists Fund
Quote Reply
Re: [hennagaijin] uploading user db with encrypted passwords In reply to
That depends on the way your passwords are encrypted. The following modification might work (if you use MySQL):
Code:
sub auth_valid_user {
# -------------------------------------------------------------------
# This function returns 1 if the user/pass combo is valid, 0/undef
# otherwise.
#
my $args = shift;
my $table = $args->{Table};
return $DB->table($table)->select ( { Username => $args->{Username}, Password => $args->{Password} }, ['Username'] )->rows ||
$DB->table($table)->select ( { Username => $args->{Username}, Password => \"ENCRYPT('$args->{Password}')" }, ['Username'] )->rows
;
}

Note that I didn't test the fix and that is slows down logging in....

Good luck, Jasper

http://www.bookings.org
Quote Reply
Re: [jaspercram] uploading user db with encrypted passwords In reply to
Hi Jasper,

Thanks a lot for your help. Your code looks good to me, but unfortunately it doesn't seem to be working. I am using MySQL, for what it's worth.

Any other ideas?

Thanks again.

Fractured Atlas :: Liberate the Artist
Services: Healthcare, Fiscal Sponsorship, Marketing, Education, The Emerging Artists Fund
Quote Reply
Re: [jaspercram] uploading user db with encrypted passwords In reply to
The following edit to Authenticate.pm seems to work:

Code:


sub auth_valid_user {
# -------------------------------------------------------------------
# This function returns 1 if the user/pass combo is valid, 0/undef
# otherwise.
#
my $args = shift;
my $table = $args->{Table};
my $sth = $DB->table($table)->select ( { Username => $args->{Username}}, ['Username','Password'] );
if ($sth->rows) {
my $userhash = $sth->fetchrow_hashref;
if ($args->{Password} eq $userhash->{Password}) {
#plaintext password matches
return 1;
}else{
# check to see if encrypted version matches
my $passwd = crypt($args->{Password},$userhash->{Password});
return ($passwd eq $userhash->{Password})?1:0;
}
}
return 0;
}

Fractured Atlas :: Liberate the Artist
Services: Healthcare, Fiscal Sponsorship, Marketing, Education, The Emerging Artists Fund
Quote Reply
Re: [hennagaijin] uploading user db with encrypted passwords In reply to
What I'd like to do now is, anytime someone logs in with a plaintext password that matches an encrypted password in the database, automatically UPDATE the password in the database so that it is stored as plaintext instead. This would be useful for password retrieval functions and such.

Problem is, I'm not quite sure how to do this with perl or GT libs. Blush It doesn't seem like it should be too difficult though - just an UPDATE SQL query added to that last part of the subroutine. Any suggestions?

Thanks in advance.

Fractured Atlas :: Liberate the Artist
Services: Healthcare, Fiscal Sponsorship, Marketing, Education, The Emerging Artists Fund
Quote Reply
Re: [hennagaijin] uploading user db with encrypted passwords In reply to
Okay, the following seems to work. I'd be grateful if some more expert eyes would take a look to see if this is really the best way to do this, though:

Code:


sub auth_valid_user {
# -------------------------------------------------------------------
# This function returns 1 if the user/pass combo is valid, 0/undef
# otherwise.
#
my $args = shift;
my $table = $args->{Table};
my $sth = $DB->table($table)->select ( { Username => $args->{Username}}, ['Username','Password'] );
if ($sth->rows) {
my $userhash = $sth->fetchrow_hashref;
if ($args->{Password} eq $userhash->{Password}) {
#user password is stored in plaintext
return 1;
}else{
# check to see if password is encrypted
my $passwd = crypt($args->{Password},$userhash->{Password});
if ($passwd eq $userhash->{Password}) {
my $result = $DB->table($table)->update({Password => $args->{Password}}, {Username => $args->{Username}});
return 1;
}else{
return 0;
}
}
}
return 0;

}

Fractured Atlas :: Liberate the Artist
Services: Healthcare, Fiscal Sponsorship, Marketing, Education, The Emerging Artists Fund
Quote Reply
Re: [hennagaijin] uploading user db with encrypted passwords In reply to
looks just fine to this amateur. Wink

Jasper

http://www.bookings.org