Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Converting plaintext passwords to vanilla hash
MaddawgX9
New
I have an account management system in place for another system and I'm working on writing a script to export users from that system into the vanilla db using php.
The issue I'm running into is while I can use PHPass, I cannot use the vanilla encryption because it requires most of vanilla to be included/initialized which I cannot seem to easily do in a simple command-line php script. I've also attempted to hash to md5 using PHPass since vanilla is supposed to convert to vanilla hashing upon each user's first login, but the passwords won't authenticate upon login for some reason.
Any suggestions would be greatly appreciated.
0
Comments
Just put the plain text password in the
Passwordcolumn, and set theHashMethodtoText. They will hash on their own.They hash on their own, but only after each user logs in. Until someone auths on their account, those passwords are stored in plaintext. Which is bad.
Did you try setting the
HashMethodtomd5?WHen I try the md5 method, I use PHPass to encrypt the plaintext password and store that in the
Passwordcolumn, then set theHashMethodtomd5. It fails authenticating my login when I try to log in when I do this.Did you try just using
md5()to hash it?I believe I did and that failed as well. But, let me try now to confirm and I will get back with you.
set
HashMethodtoVanillaand just md5 them, it should rehash on login.grep is your friend.
Confirmed -- that method fails as well. Below is the portion of my script that seems to be not working.
//connect to db and load in single entry of data via csv $name = $data[0]; //$data[0] is my username $password = md5($data[1]); //$data[1] is my plaintext password $hashMethod = $data[2]; //$data[2] is md5 $email = $data[3]; //$data[3] is email $title = $data[4]; //$data[4] is title echo "Inserting User ".$name."\n"; $query_str="INSERT INTO GDN_User (Name,Password,HashMethod,Email,Title) VALUES ('".addslashes($name)."','".addslashes($password)."','".addslashes($hashMethod)."','".addslashes($email)."','".addslashes($title)."')"; echo $query_str."\n"; //output to confirm I'm not el loco mysql_query($query_str); //exec the query strI will try hashmethod vanilla
HashMethod = Vanilla fails as well.
I will also mention that everything works fine when I run my script and set the password as plaintext, so I know that either I suck at making an md5 hash or Vanilla sucks at checking plaintext passwords against it for one reason or another.
I will also mention I have checked the md5 hash of my test password against other implementations and it's getting put into the database correctly.
Perhaps there is a config var I need to edit in garden to enable md5 hash checking?
hash method
Textandmd5don't actually exist, they just to default toVanillaanyway.it should work see here
https://github.com/vanilla/vanilla/blob/master/library/core/class.passwordhash.php#L193-L197
grep is your friend.
I'll mess around a bit more, maybe have vanilla post some output to log so I can see what exactly in authentication is failing. I'm thinking it's possible it's failing on other checks because I'm not inserting any permissions role for the new user. In Terminator Voice I'll be back.
It looks as if it's an issue with me not assigning a user role. I'm adding the user to the GDN_Users table but I need to add a role linkage to GDN_UserRole and map the new user's ID to an existing role. The reason it had worked when I did plaintext was because I had gone in and edited the user account to have a role after I added it with my script. I will follow up shortly to confirm this is in fact the problem.
Confirmed. You have to add an entry in the GDN_UserRole table. Once I did, everything worked and all was right in the world. Thanks for the help.
Are you wanting to use the default roles like member for most of these users. I suggest you rebuild roles, to ensure everything is tickety-boo.
grep is your friend.