Something goes wrong, but... Let's go again. Hi people. I am getting envolved with Koha since last november. I am contributing in translation too, and digging BD, and scripts... Right now I have a new challenge: I need to know which method the system apply to encrypt borrowers' passwords. I know that uses Bcrypt 8, but the stored encrypted string does not match with typed string. Some clue??? Thanks in advance. -- Sent from: http://koha.1045719.n5.nabble.com/Koha-general-f3047918.html
Hi Robm I am getting envolved with Koha since last november. I am contributing in
translation too, and digging BD, and scripts... Right now I have a new challenge: I need to know which method the system apply to encrypt borrowers' passwords. I know that uses Bcrypt 8, but the stored encrypted string does not match with typed string. Some clue???
What kind of match do you expect? Try the following (using a Koha user shell) to see what an encrypted password will look like perl -e 'use Koha::AuthUtils qw ( hash_password ); $text = "clearpass"; $pass = hash_password( $text ); print "$text -> $pass\n";' you will get something like clearpass -> $2a$08$osRn3haIkwt2Lf3dAWAPt.aIpl/qRF7bNo1w4kVOmXZ09VzSwHmkC Regards Bernardo
Hi Bernardo. Let me explain because uncode/decode passwords is a sensitive subject. First of all we know that is impossible reverse the password stored because bcrypt is a one-way method. My needs is that I have a system, still in use, that has some tools wroten by myself in php etc. They are to print labels, meeting room agenda etc. Me and my staff have access to this program by username & password, but I would like to validate that access with username & password stored in Koha db. So, all we would have just one account to manage. But really thanks for your reply. rob P.S If we use a online Bcrypt generator (e.g. https://www.browserling.com/tools/bcrypt), and put, like your example, "clearpass" (using Rounds 8 - 'cause chars 03-05 is "$08" in encrypted string) we get another result compared with Koha::AuthUtils. Why? Because Koha has something more (a salt) that goes along with our phrase pass when creating the hash (crypted string). -- Sent from: http://koha.1045719.n5.nabble.com/Koha-general-f3047918.html
Oooooooooooooooo!!! I found it! PHP has a function: password_verify() to this job!! A piace of a cake! ;-) Regards!! rob -- Sent from: http://koha.1045719.n5.nabble.com/Koha-general-f3047918.html
Hello Rob, Here is what you were looking for: use Modern::Perl; use Koha::AuthUtils; use C4::Auth; # Generate the hash my $hashed_pwd = Koha::AuthUtils::hash_password('Your password'); # Compare it with a new login my $login_pwd = 'Your password'; say C4::Auth::checkpw_hash( $login_pwd, $hashed_pwd ); my $wrong_pwd = 'wrong'; say C4::Auth::checkpw_hash( $wrong_pwd, $hashed_pwd ); Regards, Jonathan Le jeu. 20 févr. 2020 à 20:06, robm <robmietto@gmail.com> a écrit :
Oooooooooooooooo!!!
I found it!
PHP has a function: password_verify() to this job!! A piace of a cake! ;-)
Regards!!
rob
-- Sent from: http://koha.1045719.n5.nabble.com/Koha-general-f3047918.html _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
Hi Jonathan. Thank you. But tell me: some special reason for not using the php function? Because it's working ok ... -- Sent from: http://koha.1045719.n5.nabble.com/Koha-general-f3047918.html
If you are writing PHP code and that the function works as you expect, then use it :) Le ven. 21 févr. 2020 à 12:36, robm <robmietto@gmail.com> a écrit :
Hi Jonathan. Thank you. But tell me: some special reason for not using the php function? Because it's working ok ...
-- Sent from: http://koha.1045719.n5.nabble.com/Koha-general-f3047918.html _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
participants (3)
-
Bernardo Gonzalez Kriegel -
Jonathan Druart -
robm