This Help forum is for issues relates to the latest release (1.1.x). For issues related to beta or svn version please use their own Help forum.
When requesting help please provide as much information as possible. Explain what version of webtrees, PHP and MYSQL you are using. If possible provide a URL to your site so we can see the problem first-hand.
Tip: Think about putting these details in your signature, so it appears in the footer of ALL your messages
  • Page:
  • 1

TOPIC: unable to authenticate user

unable to authenticate user 9 years 23 hours ago #1

  • Norm
  • Norm's Avatar Topic Author
  • Offline
  • New
  • New
  • Posts: 21
Hi,
I have been successfully using webtrees v1.0.6 locally to maintain my genealogical info. After upgrading to the latest version (1.1.2) I receive "unable to authenticate user" when trying to log in after the initial session.

I reinstalled multiple times to no avail. If I use phpMyAdmin to paste the "ChangeMe" hash into wt_user.password as per ToyGuy in this thread I can log in but if I change the password using My Page->My Account the next attempt to log in fails.

My system:
PHP 5.3.6-11
Mysql 5.1.57-1 (Debian)
Apache/2.2.19 (Debian)

I'd appreciate some help.

Thanks,
Norm
Norm

Debian Sid
PHP 7.0.14-2
Mysql 5.7.16-1 (Debian)
Apache/2.4.25 (Debian)

Please Log in or Create an account to join the conversation.

Re: unable to authenticate user 9 years 23 hours ago #2

  • fisharebest
  • fisharebest's Avatar
  • Offline
  • Administrator
  • Administrator
  • Posts: 12895
Are you using any "special" characters in your new/chosen password?

Does it work if you choose a password containing just alpha-numerics?
Greg Roach - This email address is being protected from spambots. You need JavaScript enabled to view it. - fisharebest.webtrees.net

Please Log in or Create an account to join the conversation.

Re: unable to authenticate user 9 years 22 hours ago #3

  • Norm
  • Norm's Avatar Topic Author
  • Offline
  • New
  • New
  • Posts: 21
No, I'm not using any special characters. I tried changing from "ChangeMe" to "changeme" to check. Still fails.

Thanks for the reply!

EDIT: Don't know whether this will help or not but "changeme" hashes to: $6$riNAD2xN$H8X6CmQqAF/WCnjjI6felqJ2e8os7vH.m1oXGNrZXU1dFiAna9iT
Norm

Debian Sid
PHP 7.0.14-2
Mysql 5.7.16-1 (Debian)
Apache/2.4.25 (Debian)

Please Log in or Create an account to join the conversation.

Last edit: by Norm. Reason: addl info

Re: unable to authenticate user 9 years 18 hours ago #4

  • fisharebest
  • fisharebest's Avatar
  • Offline
  • Administrator
  • Administrator
  • Posts: 12895
Puzzling.

What happens if you use the "forgotten password" feature, and let webtrees generate a password and e-mail it to you?
Greg Roach - This email address is being protected from spambots. You need JavaScript enabled to view it. - fisharebest.webtrees.net

Please Log in or Create an account to join the conversation.

Re: unable to authenticate user 8 years 11 months ago #5

  • Norm
  • Norm's Avatar Topic Author
  • Offline
  • New
  • New
  • Posts: 21
Tried the "forgotten password" feature, same result: "unable to authenticate user"

I haven't used php much, but I took a peek at your source and tried this:
$ php -r 'var_dump(crypt("ChangeMe"));'
string(98) "$6$Ed0./Gih$V/aheixMAlhBJ7u/HNdP.t5gmej4982eQ1nrbr2lO2f.8wp/DnsB41vm6ovPUBzRjHACgieGXmx1UmR66b7XV0"

My wt_user.password field contains a 98 character string after setting/changing the password.

From the php5 docs here :

Some operating systems support more than one type of hash. In fact, sometimes the standard DES-based algorithm is replaced by an MD5-based algorithm. The hash type is triggered by the salt argument.

I'm running Debian unstable. Could my system be choosing the wrong hash?
Norm

Debian Sid
PHP 7.0.14-2
Mysql 5.7.16-1 (Debian)
Apache/2.4.25 (Debian)

Please Log in or Create an account to join the conversation.

Re: unable to authenticate user 8 years 11 months ago #6

  • fisharebest
  • fisharebest's Avatar
  • Offline
  • Administrator
  • Administrator
  • Posts: 12895
The first two characters tells us what sort of hash is being used.

$1 = MD5
$2 = Blowfish - anything with fish in the name must be good :-)
$5 = SHA256
$6 = SHA512

I guess it is possible that your PHP upgrade changed the crypt function. Do the existing values in the database have a different prefix?
Greg Roach - This email address is being protected from spambots. You need JavaScript enabled to view it. - fisharebest.webtrees.net

Please Log in or Create an account to join the conversation.

Re: unable to authenticate user 8 years 11 months ago #7

  • Norm
  • Norm's Avatar Topic Author
  • Offline
  • New
  • New
  • Posts: 21
Apparently Debian modifies their php5 package. Here are a couple of bug reports about crypt(): link link At one time crypt() with no salt returned an empty string. So I guess that they fixed that by returning a sha512.

Anyway, just piddling around I got v1.1.2 to work by changing the following:
admin_users.php:286:                            if ($user_id=create_user($username, $realname, $emailaddress, crypt($pass1,"$1"))) {
admin_users.php:299:                            set_user_password($user_id, crypt($pass1,"$1"));
edituser.php:68:                        set_user_password(WT_USER_ID, crypt($form_pass1,"$1"));
login_register.php:111:                         set_user_password($user_id, crypt($user_new_pw,"$1"));
login_register.php:334:                         if ($user_id=create_user($user_name, $user_realname, $user_email, crypt($user_password01,"$1"))) {
login_register.php:477:                 $pw_ok = (get_user_password($user_id) == crypt($user_password, get_user_password($user_id)));
save.php:136:                   set_user_password($id2, crypt($value,"$1"));
I didn't know what to do with the line in login_register.php, since crypt() already has a second parameter, so the inital setup doesn't work. Changing the password via "Forgotten password" or "My Page->My Account" works fine though.

EDIT: From the Debian php5 package changelog:

php5 (5.3.6-1) unstable; urgency=low
. . .
* Fix regression with missing CRYPT_SALT_LENGTH (Closes: #603012)
* Generate SHA512 salt string when provided salt is null (Closes: #581170)
. . .

For now that change only affects Debian unstable but it will eventually percolate down to the testing and stable distros, thus affecting any Debian LAMP set ups out there.
Norm

Debian Sid
PHP 7.0.14-2
Mysql 5.7.16-1 (Debian)
Apache/2.4.25 (Debian)

Please Log in or Create an account to join the conversation.

Last edit: by Norm.

Re: unable to authenticate user 8 years 11 months ago #8

  • fisharebest
  • fisharebest's Avatar
  • Offline
  • Administrator
  • Administrator
  • Posts: 12895
@norm - your change has two effects.

Firstly, by using the same salt every time, you removing all the benefits of having a salt.

Secondly, by specifying a two-charater salt, you are forcing crypt() to choose the weakest algorithm available.

<<I didn't know what to do with the line in login_register.php, since crypt() already has a second parameter>>

Nothing. You call crypt() with one parameter when you are generating a password hash, and you call it with two parameters when you are validating an existing password hash.

FYI, I've just tidied up the code a little, so that we only generate password hashes in one place. (Actually two places - the setup wizard needs its own.)

<<I'm running Debian unstable>>

:-)

If you want to code a workaround for this bug, you should generate a random salt of the correct format - for whichever algorithm you prefer. php.net/crypt has further details.
Greg Roach - This email address is being protected from spambots. You need JavaScript enabled to view it. - fisharebest.webtrees.net

Please Log in or Create an account to join the conversation.

Last edit: by fisharebest.
Do you need a web hosting solution for your webtrees site?
If you prefer a host that specialises in webtrees, the following page lists some suppliers able to provide one for you: 

Re: unable to authenticate user 8 years 11 months ago #9

  • Norm
  • Norm's Avatar Topic Author
  • Offline
  • New
  • New
  • Posts: 21
Greg,

I think I have gotten to the bottom of my problem.

As I mentioned above, on my Debian Sid system php::crypt() returns a 98 byte string. Since wt_user.password is a varchar(64) field the following statement in check_user_password() always returns false because the field lengths are different:
return crypt($password, $password_hash)==$password_hash;
Everything works fine if I change wt_user.password to varchar(98).

Sorry for all of the “noise” above, as an autodidact I do a lot of flailing around.
Norm

Debian Sid
PHP 7.0.14-2
Mysql 5.7.16-1 (Debian)
Apache/2.4.25 (Debian)

Please Log in or Create an account to join the conversation.

Re: unable to authenticate user 8 years 11 months ago #10

  • fisharebest
  • fisharebest's Avatar
  • Offline
  • Administrator
  • Administrator
  • Posts: 12895
<<Sorry for all of the “noise” above>>

Don't apologise - this is not "noise". The password field is too small, and this is a bug. I've updated the code - when you upgrade to 1.1.3, it will increase the size of this column to 128 characters.
Greg Roach - This email address is being protected from spambots. You need JavaScript enabled to view it. - fisharebest.webtrees.net

Please Log in or Create an account to join the conversation.

  • Page:
  • 1
Powered by Kunena Forum