Skip Menu |
 

This queue is for tickets about the RT-Authen-ExternalAuth CPAN distribution.

Report information
The Basics
Id: 82588
Status: open
Priority: 0/
Queue: RT-Authen-ExternalAuth

People
Owner: Nobody in particular
Requestors: viktor.larionov [...] salva.ee
Cc: RINGERC [...] cpan.org
AdminCc:

Bug Information
Severity: Wishlist
Broken in: (no value)
Fixed in: (no value)



Subject: RT-Authen-ExternalAuth modification
Date: Wed, 9 Jan 2013 19:05:46 +0200
To: <tsibley [...] cpan.org>
From: Viktor Larionov <Viktor.Larionov [...] salva.ee>
Download (untitled) / with headers
text/plain 1.4k
Hi Thomas! First of all thanks a million for a great job you've done with RT::Authen::ExternalAuth. Great stuff. We use it to allow certain groups of our users to our internal RT instance. Here http://requesttracker.wikia.com/wiki/ExternalAuth#RT::Authen::ExternalAuth you have mentioned, you'd like to hear about updates to your code done by end-users, so I thought our minor change could be of use also. The case with us, is that passwords on our database are encrypted using Crypt::PasswdMD5 with salt residing inside the hash. (the good old unix way, you know) RT::Authen::ExternalAuth by default can deal only with a static salt, as far as I understood, so we did a quick and dirty update to your original code in order to fix that. An update looks like this (sorry for not making a nice and shiny diff): File: T-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/DBI.pm, line 80: if($pass_from_db =~ /\A\$[0-9]\$([^\$]+)\$.+\Z/) { $RT::Logger->info($service, "Supplied password hash contains a salt, extracting and using it instead of static."); $db_p_salt = $1; } Works like a charm. Cheers! Viktor "vik" Larionov head of IT ops, Salva Insurance plc., Tallinn, Estonia Viktor Larionov IT osakonna juhataja IT-osakond Salva Kindlustuse AS Tel: (+372) 683 0630 | GSM: (+372) 566 86811 | Viktor.Larionov@salva.ee | www.salva.ee (SMX)338844
B2R1UBNvEiyqWSx.gif
Subject: Re: [rt.cpan.org #82588] RT-Authen-ExternalAuth modification
Date: Thu, 10 Jan 2013 17:10:07 +0400
To: bug-RT-Authen-ExternalAuth [...] rt.cpan.org
From: Ruslan Zakirov <ruz [...] bestpractical.com>
Download (untitled) / with headers
text/plain 236b
Hi, I see what you've done it's not bad. Can you take a look at dbi-password-check-callback code branch? It allows you do the same with a callback without bringing in every possible hashing into the module. -- Best regards, Ruslan.
Subject: RE: [rt.cpan.org #82588] RT-Authen-ExternalAuth modification
Date: Thu, 10 Jan 2013 15:23:39 +0200
To: <bug-RT-Authen-ExternalAuth [...] rt.cpan.org>
From: Viktor Larionov <Viktor.Larionov [...] salva.ee>
Download (untitled) / with headers
text/plain 947b
Hi Ruslan! As a quick look I have a feeling that dbi-password-check-callback patch could be just the right thing, to make this change more elegant. I'll give it a try in the nearcoming days and give you feedback. Thanks! Cheers, vik Viktor Larionov IT osakonna juhataja IT-osakond Salva Kindlustuse AS Tel: (+372) 683 0630 | GSM: (+372) 566 86811 | Viktor.Larionov@salva.ee | www.salva.ee (SMX)338844 Show quoted text
-----Original Message----- From: Ruslan Zakirov via RT [mailto:bug-RT-Authen-ExternalAuth@rt.cpan.org] Sent: Thursday, January 10, 2013 3:10 PM To: viktor.larionov@salva.ee Subject: Re: [rt.cpan.org #82588] RT-Authen-ExternalAuth modification <URL: https://rt.cpan.org/Ticket/Display.html?id=82588 > Hi, I see what you've done it's not bad. Can you take a look at dbi-password-check-callback code branch? It allows you do the same with a callback without bringing in every possible hashing into the module. -- Best regards, Ruslan.
pHe8OxVhCBV4JC6.gif
Subject: Re: [rt.cpan.org #82588] RT-Authen-ExternalAuth modification
Date: Thu, 10 Jan 2013 19:23:14 +0200
To: <bug-RT-Authen-ExternalAuth [...] rt.cpan.org>
From: Viktor Larionov <Viktor.Larionov [...] salva.ee>
Download (untitled) / with headers
text/plain 1.3k
Hi Ruslan! Tried dbi-password-check-callback and it;s exactly what I needed. And simple as 1,2,3. Just for mentioning what I did: 1. Applied the patch. 2. Added theese lines to RT_SiteConfig.pm: Set($ExternalPasswordCheckCallback, sub { require Crypt::PasswdMD5; my $salt = undef; if($_[0] =~ /A$[0-9]$([^$]+)$.+Z/) { $RT::Logger->debug("ExternalPasswordCheckCallback", "Supplied password hash contains a salt, extracting and using it."); $salt = $1; $RT::Logger->debug("ExternalPasswordCheckCallback", "Using salt: $salt"); } return((Crypt::PasswdMD5::unix_md5_crypt($_[1], $salt) eq $_[0])); } ); 3. Added a field p_check, with value of $RT::ExternalPasswordCheckCallback to external service definitions. And that was it. Thanks for a valuable hint! I'll stick to this solution. Cheers, Viktor Viktor Larionov IT osakonna juhataja IT-osakond Salva Kindlustuse AS Tel: (+372) 683 0630 | GSM: (+372) 566 86811 | Viktor.Larionov@salva.ee | www.salva.ee (SMX)338844 10.01.2013 15:10 kirjutas Ruslan Zakirov via RT: Show quoted text
Show quoted text
> Hi, > > I see what you've done it's not bad. Can you take a look
at Show quoted text
> dbi-password-check-callback code branch? It allows you do the
same Show quoted text
> with a callback without bringing in every possible hashing into
the Show quoted text
> module.
Links: ------ [1] https://rt.cpan.org/Ticket/Display.html?id=82588
I4B3LxfL9hRNQnU.gif
Download (untitled) / with headers
text/plain 178b
While touching this code it's also worth considering that many systems will store the password salt in a separate field, eg 'salt' and 'passwordHash' columns in a 'user' table.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.