This doesn't seem to be effective against PHPBB3 imported hashes

[captainmisterhagan]

Apologies for the title, and for likely misusing the system. I hope to shed some light as to a usage pattern for this plugin:

I've imported a set of users from PHPBB3, and I've verified that the hashes came across correctly.

They don't seem to be matched successfully; I've got the custom fields and the logic of multiple hash matching strategies is being executed.

That logic is:
def self.check_all(password, crypted_pass)
AlternativePassword::check_vbulletin(password, crypted_pass) ||
AlternativePassword::check_vbulletin5(password, crypted_pass) ||
AlternativePassword::check_ipb(password, crypted_pass) ||
AlternativePassword::check_smf(password, crypted_pass) ||
AlternativePassword::check_md5(password, crypted_pass) ||
AlternativePassword::check_bcrypt(password, crypted_pass) ||
AlternativePassword::check_sha256(password, crypted_pass) ||
AlternativePassword::check_wordpress(password, crypted_pass) ||
AlternativePassword::check_wbblite(password, crypted_pass) ||
AlternativePassword::check_unixcrypt(password, crypted_pass) ||
AlternativePassword::check_joomla_md5(password, crypted_pass) ||
AlternativePassword::check_joomla_3_2(password, crypted_pass)
end

I don't see phpbb3 referenced there and I'm not sure that any of those strategies use phpass.

The hash I'm testing against is of the pattern:
var hash = '$H$9zXpq1hsq8qFj8ik/2S9l7AUjlqafO.';

Which I believe to be one of the phpass standard formats.

I'm not sure which of the listed strategies should be handling this. Can I ask, what does it mean that this plugin "# uses phpass-ruby https://github.com/uu59/phpass-ruby"? It's not listed as a gem dependency.

Thanks in advance,

[communiteq]

As far as I remember, phpbb3 (until version 3.1*) uses the same password algorithm as Wordpress (called phpass), and it is covered by the check_wordpress code. On our first try we used phpass-ruby but it didn't work well, and we threw it out and replaced it with the WordpressHash function.

Now I'm a bit lost as well since our code explicitly checks for '$P$' , where phpBB3 uses '$H$'. I think early versions of our importer replaced it on that side, and it could very well be that you indeed found an issue here.

I am not able to test this right now since I don't have a phpBB3 forum here right now but could you please try to change the 'check' function to the code below (so adding the gsub! line) and let me know if that solves your issue?

    def check(pw, hash)
      hash.gsub! /^\$H\$/, '$P$'
      return false unless hash.start_with?('$P$')
      crypt(pw, hash) == hash
    end

*) phpBB 3.1 and up use bcrypt() for password hashing.

[captainmisterhagan]

Good instincts! I broke the piece down to a test case and, indeed, WordPress test is phpass compliant given a substituted signature char at index 1. (In fact both signatures are phpass compliant). We now have successful generation of identical hashing against a known seed (in other words we will match an input password). Will reintroduce your multi signature and clean up the comment in the plugin and send a pull request this week. Thanks!

…

On 4 Mar. 2018 7:53 pm, "discoursehosting" ***@***.***> wrote: As far as I remember, phpbb3 (until version 3.1*) uses the same password algorithm as Wordpress (called phpass), and it is covered by the check_wordpress code. On our first try we used phpass-ruby but it didn't work well, and we threw it out and replaced it with the WordpressHash function. Now I'm a bit lost as well since our code explicitly checks for '$P$' , where phpBB3 uses '$H$'. I think early versions of our importer replaced it on that side, and it could very well be that you indeed found an issue here. I am not able to test this right now since I don't have a phpBB3 forum here right now but could you please try to change the 'check' function to the code below (so adding the gsub! line) and let me know if that solves your issue? def check(pw, hash) hash.gsub! /^\$H\$/, '$P$' return false unless hash.start_with?('$P$') crypt(pw, hash) == hash end *) phpBB 3.1 and up use bcrypt() for password hashing. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#8 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AVeI4uFDcJAv19pNrTaIHYtmtGSHVMd-ks5ta6tzgaJpZM4SbM8k> .