Community
Participate
Working Groups
Effective Saturday, the Bugzilla passwords that we rely on for authentication will change. Passwords will be in crypt() format until the users log in, which will convert them to SHA-256. Our auth code needs to determine whether the password used is based on crypt() or sha-256, so we need to pull the encrypted password from the DB, grep for a hash method, then compare it to the incoming password. It should be noted that we can (and should) make the code change *NOW* since the code needs to detect current (crypt) passwords as well as SHA-256 ones. IPZilla: I'll diff/patch the 3.0 bz_crypt method with the 3.4, and that should be sufficient. I'll likely need to install Digest and Digest::SHA on the nodes. PHP: This should work: $db_cryptpassword = "SELECT cryptpassword from profiles where login_name = '" . addslashes($form_email) . "' AND disabledtext = ''"; if(preg_match("/{([^}]+)}$/", $db_cryptpassword, $matches)) { $hash = $matches[0]; $salt = substr($db_cryptpassword,0,8); # Use one or the other, depending on server libs $pw = $salt . str_replace("=", "", base64_encode(hash("sha256", $form_password . $salt, true))) . $hash; $pw2 = $salt . str_replace("=", "", base64_encode(mhash(MHASH_SHA256,$form_password . $salt))) . $hash; } else { $pw = crypt($form_password, $db_cryptpassword); } if($db_cryptpassword == $pw) { echo "Login successful"; } List of sites to change: - IPZilla (perl) - Site Login (php) - Babel (php) - Live (php) - EPIC/Marketplace (php) - Submission system? - Blogs, Forums & Wiki use the site login
The Portal needs to be changed, too.
(In reply to comment #1) > The Portal needs to be changed, too. > I'm looking at this now.
The new code needs to go into the Submissions system as well! When I'm done with the Portal I'll give you the new class, Gabe.
Ugh. To run this on the Submissions Sytem (eclipsecon.org) we need a new install of PHP. Since there is no new install for FC4 it looks like I'm compiling a new one from scratch.
Live is updated and Tested
Babel is updated and tested.
I updated the code for the Submission System (based on what Karl did for the Portal). I wont be able to test new encryption of the passwords until PHP gets upgraded on the eclipsecon box.
IPZilla is done and tested. I patched Bugzilla/Util.pm and Bugzilla/Auth/Verify/Db.pm with 3.4 code.
Site login is done and tested. Just need to restart Apache on nodes 1,4,5 for the mhash functions to load up.
Gabe, are you done the Submission system? Looks like everything else is working. Thanks for the last minute push to avoid panic.
(In reply to comment #10) > Gabe, are you done the Submission system? > > Looks like everything else is working. Thanks for the last minute push to > avoid panic. I have been able to log in since the upgrade, and I haven't heard any complaints from the PC or speakers. So things are good on my end.
Fixed it is!
