[Tickets #9275] Re: crypt-md5 password with show_encryption doesn't work

bugs at horde.org bugs at horde.org
Thu Oct 21 20:40:44 UTC 2010 

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/9275
------------------------------------------------------------------------------
  Ticket             | 9275
  Updated By         | tonton at bdefracte.org
  Résumé           | crypt-md5 password with show_encryption doesn't work
  Queue              | Passwd
  Version            | HEAD
  Type               | Bug
  État              | Feedback
  Priorité          | 2. Medium
  Milestone          |
  Patch              | 1
  Propriétaire      |
------------------------------------------------------------------------------


tonton at bdefracte.org (2010-10-21 16:40) wrote:

Ok, let's try to be clear.

I want password to be stored with crypt-md5 method, so it's already  
the case in the database, and the format is {crypt}$1$xxxxxxxxxxxxxxx  
(but it can be another method also, that's why it's prefixed)

Then I want to provide user a way to change their password and keep  
storing them with crypt-md5 method.

I've set encryption to crypt-md5 in passwd and show_encryption to true  
(I can have put encryption to any other method I think I'll get the  
same result as my password are already crypt-md5)

So to change the password the old one is reqested from the user, and  
the problem lie here:

In passwd/lib/Driver.php, in function comparePasswords
there is a call to Auth::getCryptedPassword to get the encrypted  
version of the old password given by the user that need to match the  
stored version.
As the method is stored with the password, 'crypt' is use as  
encryption for the old password, so the params given to  
Auth::getCryptedPassword are ('password',  
'{crypt}$1$1a9668b1$5uJT0BQW24EEtrVj/c4R2/', 'crypt', false)

And in lib/Horde/Auth.php in getCryptedPassword, the first task done  
is to recompute $salt, and if 'crypt' is used instead of 'crypt-md5'  
it reduce it to 3 chars instead of 13 (see the getSalt function).
If the salt is not recomputed, it works (I've tested).
So the call to crypt have to be done with the encrypted old password  
as second paremeter (or it's first 13 chars as it's done when  
'crypt-md5' is used as parameter in this function).

Hope this is clearer.

More information about the bugs mailing list