Using a password that is stored in the database as a hash of the password+salt (bugzilla, subversion, Cyrus-SASL integration)
Barneck, Jared
Jared.Barneck at landesk.com
Fri Apr 16 19:48:53 EDT 2010
Hey all,
My goal is to have Subversion and Bugzilla share the same users by
pointing Subversion to Cyrus-SASL and pointing Cyrus-SASL at the
bugzilla database. I have spent enough time searching the internet,
reading the manuals, and reading posts to know that there isn't a simple
answer to this in a doc.
Seems to me there should be a post somewhere called: How to make
subversion and bugzilla share users? It seems it would be a common
configuration to me but maybe it is not.
I have Cyrus-Sasl successfully using a database if the password field is
clear text. Subversion is successfully configured to use Cyrus-SASL and
authentication works with this Cyrus-SASL config.
However, Bugzilla creates an SHA256 hash as well as appends two strings:
1. It salts the password before hashing. (I am still researching this)
2. It appends the following string to the stored hash: {SHA256}
Is there a way to make Cyrus-SASL use the MD5, SHA1, or SHA256 hash
instead of clear text?
(In this case it is SHA256)
Is there a way to handle the appended string: {SHA256}
Here is my setup clear text setup that works with a clear text database:
FreeBSD 7.2
cyrus-sasl-2.1.23
subversion-1.6.6
Here is a file that works with a Clear Text password:
# svn.conf.ClearTextDatabasePassword
log_level: 7
pwcheck_method: auxprop
mech_list: plain sha1
auxprop_plugin: sql
sql_hostnames: localhost
sql_engine: mysql
sql_user: root
sql_passwd: pw
sql_database: UserDB
sql_select: SELECT password FROM users WHERE username='%u'
I have been through the documentation and I thought maybe it was sql_mda
but that didn't work when I added this line:
sql_mda=sha1
Bugzilla has a table called "profiles" with two interesting columns:
login_name cryptpassword
user1 at domain.tld
CLm15URgJ3uFYDG5pz9mO2vtxJ3PVKZlrpnLT2h8HJqMwO33ML0{SHA-256}
user2 at domain.tld
oToF0zutirqQXF6BbuAPljJkGaupY5KhHjGPPB8qC9QPkWOEcs0{SHA-256}
Here is what I have to try to work with Bugzilla:
# svn.conf.ClearTextDatabasePassword
log_level: 7
pwcheck_method: auxprop
mech_list: plain sha1
auxprop_plugin: sql
sql_hostnames: localhost
sql_engine: mysql
sql_user: root
sql_passwd: pw
sql_database: bugzilladb
sql_select: SELECT cryptpassword FROM profiles WHERE login_name='%u'
Here is a sample result of that query:
SELECT cryptpassword FROM profiles WHERE login_name=user1 at domain.tld'
-> ;
+--------------------------------------------------------------+
| cryptpassword |
+--------------------------------------------------------------+
| CLm15URgJ3uFYDG5pz9mO2vtxJ3PVKZlrpnLT2h8HJqMwO33ML0{SHA-256} |
+--------------------------------------------------------------+
1 row in set (0.00 sec)
So the password is going to be passed in clear text to Cyrus-SASL. The
database is going to return a SHA256 hash of the password with this
string appended to it: {SHA-256}
So the password, I assume, does a string compare. Such a compare is
currently going to look like this, which obviously doesn't work:
ClearTextPassword ==
oToF0zutirqQXF6BbuAPljJkGaupY5KhHjGPPB8qC9QPkWOEcs0{SHA-256}
I am fuzzy on who compares the password strings: Cyrus-SASL or
Subversion. It seems to me that Cyrus-SASL does.
So I need Cyrus-SASL to
1) obtain the salt
2) hash the password + salt
3) append the string {SHA-256}
1. Does Cyrus-SASL or Subversion handle the password comparison?
If Cyrus-SASL
- Can Cyrus-SASL do these two things (HASH and appended string) without
a code change?
If Subversion
- It seems the subversion code would have to be changed to support this
cause from what I have read it doesn't.
Anyway, if I get this figured out, I promise to create that a post on my
blog so no one ever asks this question again.
If I can't figure it out, I will probably setting for pointing them both
to active directory.
Thanks,
Jared Barneck
http://Rhyous.com
More information about the Cyrus-sasl
mailing list