upgrade_sympa_password.pl does not seem to work for update from md5 to bcrypt #1277
Comments
|
Hi @Salo15 , "md5 fingerprint" cannot be upgraded, because it is not possible to recover the original password from the fingerprint. For the users with "md5 fingerprint" passwords, you may add these to By this setting, every time the user successfully authenticates using the password of their own, the md5 fingerprint will be automatically replaced with the bcrypt hash. After a long enough period of time, you can check your database and disable users with md5 fingerprint, because such a account is considered to be no longer in use. See also the documentation. |
|
Hi IKEDA Soji,
thank you very much for your answer.
I really misunderstood the documentation and thought that I could use the upgrade_sympa_password.pl script to update passwords with md5 fingerprints to bcrypt hashes.
That's good to know that I can also just set the value for the password_hash parameter to "bcrypt" (the password_hash_update parameter is already set to 1) and then when users log in, the password with md5 fingerprint will be replaced with bcrypt.
I didn't dare to do that, because the comment for the password_hash parameter says "## Should not be changed! May invalidate all user passwords."
How can I see in the database for which users a password with md5 fingerprint still exists?
Since many of our users now log in via shibboleth, but still have a password set for them from earlier times, I can't delete these users, but I can delete the password for them after a certain amount of time.
Thank you and best regards,
Sabine
Von: IKEDA Soji ***@***.***>
Gesendet: Montag, 15. November 2021 09:07
An: sympa-community/sympa ***@***.***>
Cc: Lorenz, Sabine (SCC) ***@***.***>; Mention ***@***.***>
Betreff: Re: [sympa-community/sympa] upgrade_sympa_password.pl does not seem to work for update from md5 to bcrypt (Issue #1277)
Hi @Salo15 <https://github.com/Salo15> ,
"md5 fingerprint" cannot be upgraded, because it is not possible to recover the original password from the fingerprint. upgrade_sympa_password.pl can upgrade only (older) RC4-encrypted passwords or (the oldest) cleartext passwords.
For the users with "md5 fingerprint" passwords, you may add these to sympa.conf:
password_hash bcrypt
password_hash_update 1
Afterward, every time the user successfully authenticates using the password of their own, the md5 fingerprint will be automatically replaced with the bcrypt hash. After a long enough period of time, you can check your database and disable users with md5 fingerprint, because such a account is considered to be no longer in use.
See also the documentation <https://sympa-community.github.io/manual/customize/builtin-auth.html> .
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#1277 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AMIOBGYPMFM7VSHFEH6W543UMC5RNANCNFSM5IA7FOBA> .
Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .
|
Good point. Those are failure in the documentation: It will only harm to change password_hash if you wanted to continue using the previous password hash. I'll fix them in the near future.
You may run: upgrade_sympa_password.pl --dry_runAnd if md5 fingerprint is kept, you will see the message "Password from XXXX already encoded as md5 fingerprint"
|
…d is obsoleted (see also sympa-community#1277)
Config: The warning that password_hash parameter should not be changed is obsoleted (#1277)
I want to use uprade_sympa_password.pl to precompute passwords to update password hashes from md5 to bcrypt.
But when I run upgrade_sympa_password.pl with --cache xxx and --noupdateuser, for the users for which the password is encrypted with md5, I get the feedback that the password of these users is already encrypted with md5 instead of the password being encrypted with bcrypt.
Version
Sympa 6.2.40on a Debian 10 machine
Installation method
6.2.40~dfsg-1+deb10u1 installed as a Debian package
Expected behavior
I would expect that when running the following command the password of the users will be encrypted with bcrypt hash and stored in /root/sympa.hases: /usr/share/sympa/bin/upgrade_sympa_password.pl --config /etc/sympa/sympa/sympa.conf.bcrypt --cache /root/sympa.hashes --noupdateuser
Actual behavior
Instead, when testing the command in a text domain, I get feedback in the output that the user's passport is already encrypted with md5 fingerprint (even though the password_hash parameter in the Sympa config file is set to bcrypt):
root@lists-test:/etc/sympa# grep -i password_hash /etc/sympa/sympa/sympa.conf.bcrypt |grep -v "#"
password_hash bcrypt
root@lists-test:/etc/sympa# /usr/share/sympa/bin/upgrade_sympa_password.pl --config /etc/sympa/sympa.conf.bcrypt --cache /root/sympa.hashes --noupdateuser
Recoding password using bcrypt fingerprint.
Password from s.lorenz@kit.edu already encoded as md5 fingerprint
Password from sabine.lorenz@iwr.fzk.de already encoded as md5 fingerprint
Password from sabine.lorenz@kit.edu already encoded as md5 fingerprint
Found in table user 3 passwords stored using md5. Did you run Sympa before upgrading?
Updated 0 user passwords in table user_table using bcrypt hashes.
Does upgrade_sympa_password.pl contain a bug that causes the update from md5 to bcrypt not to be performed?
Or am I doing something wrong?
The text was updated successfully, but these errors were encountered: