Bug #6403
closedCommand-line user management does not handle hashed passwords
0%
Description
From original ticket in the identity service redmine instance (https://projects.nceas.ucsb.edu/nceas/issues/862):
When i tried to add a user by running this command:
./authFileManager.sh useradd -h $2a$04$csilPspPJdMx8zt7L9XKXeUxZjkPgKZd.o7TTPC0oJOFmT2kQ/E92 -dn uid=jing2,o=NCEAS,dc=ecoinformatics,dc=orgIt showed the creation succeeded. However, the password filed is not "$2a$04$csilPspPJdMx8zt7L9XKXeUxZjkPgKZd.o7TTPC0oJOFmT2kQ/E92". So the loging in can't be successful.
The API - authFile.addUser works since the junit test can set the hashed password correctly.
This is a problem in the Metacat code base so I'm moving this here so we can more easily track the 2.4.0 release.
Updated by ben leinfelder almost 11 years ago
- Description updated (diff)
- Assignee set to Jing Tao
Updated by ben leinfelder almost 11 years ago
I dug around and found that the shell script decoded the bcrypt hash code. If the input (argument) is $2a$04$csilPspPJdMx8zt7L9XKXeUxZjkPgKZd.o7TTPC0oJOFmT2kQ/E92, the shell script will change it to a-bash4.o7TTPC0oJOFmT2kQ/E92 (because the shell script doesn't like $)?
I found the only way to escape the string is to add two single quotes around the hash code. But, double quotes doesn't work.
Here is the format of bcrypt hash:
$2$, $2a$ or $2y$ identifying the hashing algorithm and format.
A two digit value denoting the cost parameter, followed by $.
A 53 characters long base-64-encoded value (they use the alphabet ., /, 0–9, A–Z, a–z that is different to the standard Base 64 Encoding alphabet) consisting of:
22 characters of salt (effectively only 128 bits of the 132 decoded bits)
31 characters of encrypted output (effectively only 184 bits of the 186 decoded bits)
Updated by ben leinfelder almost 11 years ago
I confirmed that the script doesn't like the "$" as a part of the argument. It will work if we remove the dollar sign part. However, we have to keep them.
Updated by ben leinfelder almost 11 years ago
- Status changed from New to In Progress
Updated by Jing Tao almost 11 years ago
I added note to let user know that the hashed password should be surround by single quotes.
Updated by ben leinfelder almost 11 years ago
- Status changed from In Progress to Closed
Tested this on my localhost and it works with single quotes.