Using a password that is stored in the database as a hash of the password+salt (bugzilla, subversion, Cyrus-SASL integration)

Sat Apr 17 16:12:39 EDT 2010

On 16/04/10 17:48 -0600, Barneck, Jared wrote:
>My goal is to have Subversion and Bugzilla share the same users by
>pointing Subversion to Cyrus-SASL and pointing Cyrus-SASL at the
>bugzilla database.  I have spent enough time searching the internet,
>reading the manuals, and reading posts to know that there isn't a simple
>answer to this in a doc. 
>
>I have Cyrus-Sasl successfully using a database if the password field is
>clear text. Subversion is successfully configured to use Cyrus-SASL and
>authentication works with this Cyrus-SASL config.
>
>However, Bugzilla creates an SHA256 hash as well as appends two strings:
>
>1. It salts the password before hashing. (I am still researching this)
>2. It appends the following string to the stored hash: {SHA256}
>
>Is there a way to make Cyrus-SASL use the MD5, SHA1, or SHA256 hash
>instead of clear text? 
>(In this case it is SHA256)

For password based authentication, Cyrus prefers to have access to the
shared secret itself, otherwise it needs to make use of a password
verification service, such as saslauthd. It does not directly access hashes
of passwords (there is a patch that allows for md5 hashes in an auxprop
store).

># svn.conf.ClearTextDatabasePassword
>log_level: 7
>pwcheck_method: auxprop
>mech_list: plain sha1
>auxprop_plugin: sql
>sql_hostnames: localhost
>sql_engine: mysql
>sql_user: root
>sql_passwd: pw
>sql_database: UserDB
>sql_select: SELECT password FROM users WHERE username='%u'

'sha1' is not a valid mechanism.

>I have been through the documentation and I thought maybe it was sql_mda
>but that didn't work when I added this line:
>sql_mda=sha1 

sql_mda does not appear to be a valid sasl option.

>So the password is going to be passed in clear text to Cyrus-SASL.  The
>database is going to return a SHA256 hash of the password with this
>string appended to it: {SHA-256}
>
>So the password, I assume, does a string compare. Such a compare is
>currently going to look like this, which obviously doesn't work: 
>
>	ClearTextPassword ==
>oToF0zutirqQXF6BbuAPljJkGaupY5KhHjGPPB8qC9QPkWOEcs0{SHA-256}
>
>I am fuzzy on who compares the password strings: Cyrus-SASL or
>Subversion.  It seems to me that Cyrus-SASL does.  

Right, and when using pw_check_method: auxprop, that's not going to work.

>So I need Cyrus-SASL to 
>1) obtain the salt
>2) hash the password + salt
>3) append the string {SHA-256}
>
>1. Does Cyrus-SASL or Subversion handle the password comparison?

Typically this is done by way of saslauthd:

Set 'pw_check_method: saslauthd'

Start saslauthd with a '-a pam' option, which directs saslauthd to submit
the password to pam for verification.

The pam_unix module usually performs the crypt/md5/sha hashing to compare
with the provided password. See man pam_unix(8) for more information.
However, it doesn't appear to use the same format as bugzilla.

Two approaches come to mind:

1) Configure bugzilla to authenticate to PAM, and maintain your user
credentials externally to bugzilla.
2) Configure an nss mysql backend and use some mysql function or view to
reformat the sha-256 string that bugzilla uses into a format that pam_unix
can use (or maybe use crypt instead).

-- 
Dan White