Web based family history software

This Help forum is for issues relates to the latest release (1.1.x). For issues related to beta or svn version please use their own Help forum.
When requesting help please provide as much information as possible. Explain what version of webtrees, PHP and MYSQL you are using. If possible provide a URL to your site so we can see the problem first-hand.
Tip: Think about putting these details in your signature, so it appears in the footer of ALL your messages

Question unable to authenticate user

More
12 years 10 months ago #1 by Norm
unable to authenticate user was created by Norm
Hi,
I have been successfully using webtrees v1.0.6 locally to maintain my genealogical info. After upgrading to the latest version (1.1.2) I receive "unable to authenticate user" when trying to log in after the initial session.

I reinstalled multiple times to no avail. If I use phpMyAdmin to paste the "ChangeMe" hash into wt_user.password as per ToyGuy in this thread I can log in but if I change the password using My Page->My Account the next attempt to log in fails.

My system:
PHP 5.3.6-11
Mysql 5.1.57-1 (Debian)
Apache/2.2.19 (Debian)

I'd appreciate some help.

Thanks,
Norm

Norm

Debian Sid
PHP 7.0.14-2
Mysql 5.7.16-1 (Debian)
Apache/2.4.25 (Debian)

Please Log in or Create an account to join the conversation.

More
12 years 10 months ago #2 by fisharebest
Replied by fisharebest on topic Re: unable to authenticate user
Are you using any "special" characters in your new/chosen password?

Does it work if you choose a password containing just alpha-numerics?

Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net

Please Log in or Create an account to join the conversation.

More
12 years 10 months ago - 12 years 10 months ago #3 by Norm
Replied by Norm on topic Re: unable to authenticate user
No, I'm not using any special characters. I tried changing from "ChangeMe" to "changeme" to check. Still fails.

Thanks for the reply!

EDIT: Don't know whether this will help or not but "changeme" hashes to: $6$riNAD2xN$H8X6CmQqAF/WCnjjI6felqJ2e8os7vH.m1oXGNrZXU1dFiAna9iT

Norm

Debian Sid
PHP 7.0.14-2
Mysql 5.7.16-1 (Debian)
Apache/2.4.25 (Debian)
Last edit: 12 years 10 months ago by Norm. Reason: addl info

Please Log in or Create an account to join the conversation.

More
12 years 10 months ago #4 by fisharebest
Replied by fisharebest on topic Re: unable to authenticate user
Puzzling.

What happens if you use the "forgotten password" feature, and let webtrees generate a password and e-mail it to you?

Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net

Please Log in or Create an account to join the conversation.

More
12 years 10 months ago #5 by Norm
Replied by Norm on topic Re: unable to authenticate user
Tried the "forgotten password" feature, same result: "unable to authenticate user"

I haven't used php much, but I took a peek at your source and tried this:
Code:
$ php -r 'var_dump(crypt("ChangeMe"));' string(98) "$6$Ed0./Gih$V/aheixMAlhBJ7u/HNdP.t5gmej4982eQ1nrbr2lO2f.8wp/DnsB41vm6ovPUBzRjHACgieGXmx1UmR66b7XV0"

My wt_user.password field contains a 98 character string after setting/changing the password.

From the php5 docs here :

Some operating systems support more than one type of hash. In fact, sometimes the standard DES-based algorithm is replaced by an MD5-based algorithm. The hash type is triggered by the salt argument.

I'm running Debian unstable. Could my system be choosing the wrong hash?

Norm

Debian Sid
PHP 7.0.14-2
Mysql 5.7.16-1 (Debian)
Apache/2.4.25 (Debian)

Please Log in or Create an account to join the conversation.

More
12 years 10 months ago #6 by fisharebest
Replied by fisharebest on topic Re: unable to authenticate user
The first two characters tells us what sort of hash is being used.

$1 = MD5
$2 = Blowfish - anything with fish in the name must be good :-)
$5 = SHA256
$6 = SHA512

I guess it is possible that your PHP upgrade changed the crypt function. Do the existing values in the database have a different prefix?

Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net

Please Log in or Create an account to join the conversation.

More
12 years 10 months ago - 12 years 10 months ago #7 by Norm
Replied by Norm on topic Re: unable to authenticate user
Apparently Debian modifies their php5 package. Here are a couple of bug reports about crypt(): link link At one time crypt() with no salt returned an empty string. So I guess that they fixed that by returning a sha512.

Anyway, just piddling around I got v1.1.2 to work by changing the following:
Code:
admin_users.php:286: if ($user_id=create_user($username, $realname, $emailaddress, crypt($pass1,"$1"))) { admin_users.php:299: set_user_password($user_id, crypt($pass1,"$1")); edituser.php:68: set_user_password(WT_USER_ID, crypt($form_pass1,"$1")); login_register.php:111: set_user_password($user_id, crypt($user_new_pw,"$1")); login_register.php:334: if ($user_id=create_user($user_name, $user_realname, $user_email, crypt($user_password01,"$1"))) { login_register.php:477: $pw_ok = (get_user_password($user_id) == crypt($user_password, get_user_password($user_id))); save.php:136: set_user_password($id2, crypt($value,"$1"));
I didn't know what to do with the line in login_register.php, since crypt() already has a second parameter, so the inital setup doesn't work. Changing the password via "Forgotten password" or "My Page->My Account" works fine though.

EDIT: From the Debian php5 package changelog:

php5 (5.3.6-1) unstable; urgency=low
. . .
* Fix regression with missing CRYPT_SALT_LENGTH (Closes: #603012)
* Generate SHA512 salt string when provided salt is null (Closes: #581170)
. . .

For now that change only affects Debian unstable but it will eventually percolate down to the testing and stable distros, thus affecting any Debian LAMP set ups out there.

Norm

Debian Sid
PHP 7.0.14-2
Mysql 5.7.16-1 (Debian)
Apache/2.4.25 (Debian)
Last edit: 12 years 10 months ago by Norm.

Please Log in or Create an account to join the conversation.

More
12 years 10 months ago - 12 years 10 months ago #8 by fisharebest
Replied by fisharebest on topic Re: unable to authenticate user
@norm - your change has two effects.

Firstly, by using the same salt every time, you removing all the benefits of having a salt.

Secondly, by specifying a two-charater salt, you are forcing crypt() to choose the weakest algorithm available.

<<I didn't know what to do with the line in login_register.php, since crypt() already has a second parameter>>

Nothing. You call crypt() with one parameter when you are generating a password hash, and you call it with two parameters when you are validating an existing password hash.

FYI, I've just tidied up the code a little, so that we only generate password hashes in one place. (Actually two places - the setup wizard needs its own.)

<<I'm running Debian unstable>>

:-)

If you want to code a workaround for this bug, you should generate a random salt of the correct format - for whichever algorithm you prefer. php.net/crypt has further details.

Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net
Last edit: 12 years 10 months ago by fisharebest.

Please Log in or Create an account to join the conversation.

More
12 years 10 months ago #9 by Norm
Replied by Norm on topic Re: unable to authenticate user
Greg,

I think I have gotten to the bottom of my problem.

As I mentioned above, on my Debian Sid system php::crypt() returns a 98 byte string. Since wt_user.password is a varchar(64) field the following statement in check_user_password() always returns false because the field lengths are different:
Code:
return crypt($password, $password_hash)==$password_hash;
Everything works fine if I change wt_user.password to varchar(98).

Sorry for all of the “noise” above, as an autodidact I do a lot of flailing around.

Norm

Debian Sid
PHP 7.0.14-2
Mysql 5.7.16-1 (Debian)
Apache/2.4.25 (Debian)

Please Log in or Create an account to join the conversation.

More
12 years 10 months ago #10 by fisharebest
Replied by fisharebest on topic Re: unable to authenticate user
<<Sorry for all of the “noise” above>>

Don't apologise - this is not "noise". The password field is too small, and this is a bug. I've updated the code - when you upgrade to 1.1.3, it will increase the size of this column to 128 characters.

Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net

Please Log in or Create an account to join the conversation.

Powered by Kunena Forum
}