Patch for PHP created SHA512 with the format $6$

Hi,

I create passwords from PHP with a sha512 salted hash. This is written as
$6$rounds=5000$ etcetc

You have to import the python passlib, and then use that instead of the
custom checks.
Here’s a patch for it. I assume supporting SHA256 and SHA1 in that format
would be pretty similar - but this I did test and is functional.

— SQLIdResolver.py.orig 2016-07-13 10:34:02.198429076 -0500
+++ SQLIdResolver.py 2016-07-14 13:51:05.433688880 -0500
@@ -35,6 +35,8 @@
from sqlalchemy import create_engine
from sqlalchemy.orm import sessionmaker

+from passlib.hash import sha512_crypt+
import traceback
from base64 import (b64decode,
b64encode)
@@ -360,6 +362,8 @@
PH = PasswordHash()
res = PH.check_password(password, userinfo.get(“password”))
# check salted hashed passwords

  •   elif database_pw[:2] == "$6":
    
  •       res = sha512_crypt.verify(password, userinfo.get("password"))
       elif database_pw[:6].upper() == "{SSHA}":
           res = _check_ssha(database_pw, password, hashlib.sha1, 20)
       elif database_pw[:9].upper() == "{SSHA256}":

Hi Rick,

would you like to add a Pull Request on github?
…and dont foget to put your name in the header of the file
SQLIdResolver.py…

Then we can work on and add this change. (Maybe also add a test to this
password scheme.

Kind regards
CorneliusAm Donnerstag, den 14.07.2016, 11:53 -0700 schrieb Rick Romero:

Hi,

I create passwords from PHP with a sha512 salted hash. This is
written as $6$rounds=5000$ etcetc

You have to import the python passlib, and then use that instead of
the custom checks.
Here’s a patch for it. I assume supporting SHA256 and SHA1 in that
format would be pretty similar - but this I did test and is
functional.

— SQLIdResolver.py.orig 2016-07-13 10:34:02.198429076 -0500
+++ SQLIdResolver.py 2016-07-14 13:51:05.433688880 -0500
@@ -35,6 +35,8 @@
from sqlalchemy import create_engine
from sqlalchemy.orm import sessionmaker

+from passlib.hash import sha512_crypt
+
import traceback
from base64 import (b64decode,
b64encode)
@@ -360,6 +362,8 @@
PH = PasswordHash()
res = PH.check_password(password,
userinfo.get(“password”))
# check salted hashed passwords

  •   elif database_pw[:2] == "$6":
    
  •       res = sha512_crypt.verify(password,
    

userinfo.get(“password”))
elif database_pw[:6].upper() == “{SSHA}”:
res = _check_ssha(database_pw, password, hashlib.sha1,
20)
elif database_pw[:9].upper() == “{SSHA256}”:


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/3040457c-eb89-445b-a5d7-ca80906c5e88%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hello Rick,

which version passlib are you using?
Can you please provide one or two data for testing?

The clear text passwords and the hashed string?
This should be added to the automated unit tests…

Thanks a lot
CorneliusAm Donnerstag, den 14.07.2016, 11:53 -0700 schrieb Rick Romero:

Hi,

I create passwords from PHP with a sha512 salted hash. This is
written as $6$rounds=5000$ etcetc

You have to import the python passlib, and then use that instead of
the custom checks.
Here’s a patch for it. I assume supporting SHA256 and SHA1 in that
format would be pretty similar - but this I did test and is
functional.

— SQLIdResolver.py.orig 2016-07-13 10:34:02.198429076 -0500
+++ SQLIdResolver.py 2016-07-14 13:51:05.433688880 -0500
@@ -35,6 +35,8 @@
from sqlalchemy import create_engine
from sqlalchemy.orm import sessionmaker

+from passlib.hash import sha512_crypt
+
import traceback
from base64 import (b64decode,
b64encode)
@@ -360,6 +362,8 @@
PH = PasswordHash()
res = PH.check_password(password,
userinfo.get(“password”))
# check salted hashed passwords

  •   elif database_pw[:2] == "$6":
    
  •       res = sha512_crypt.verify(password,
    

userinfo.get(“password”))
elif database_pw[:6].upper() == “{SSHA}”:
res = _check_ssha(database_pw, password, hashlib.sha1,
20)
elif database_pw[:9].upper() == “{SSHA256}”:


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/3040457c-eb89-445b-a5d7-ca80906c5e88%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)