Tickets :: Comment on [#9275] crypt-md5 password with show

* Your Email Address
* Spam protection	Enter the letters below: .__ \ /\ /.__..__ [__) >< >< \| \|[__) [__)/ \/ \\|__\\| \
Comment	> Ok, let's try to be clear. > > I want password to be stored with crypt-md5 method, so it's already > the case in the database, and the format is {crypt}$1$xxxxxxxxxxxxxxx > (but it can be another method also, that's why it's prefixed) > > Then I want to provide user a way to change their password and keep > storing them with crypt-md5 method. > > I've set encryption to crypt-md5 in passwd and show_encryption to > true (I can have put encryption to any other method I think I'll get > the same result as my password are already crypt-md5) > > So to change the password the old one is reqested from the user, and > the problem lie here: > > In passwd/lib/Driver.php, in function comparePasswords > there is a call to Auth::getCryptedPassword to get the encrypted > version of the old password given by the user that need to match the > stored version. > As the method is stored with the password, 'crypt' is use as > encryption for the old password, so the params given to > Auth::getCryptedPassword are ('password', > '{crypt}$1$1a9668b1$5uJT0BQW24EEtrVj/c4R2/', 'crypt', false) > > And in lib/Horde/Auth.php in getCryptedPassword, the first task done > is to recompute $salt, and if 'crypt' is used instead of 'crypt-md5' > it reduce it to 3 chars instead of 13 (see the getSalt function). > If the salt is not recomputed, it works (I've tested). > So the call to crypt have to be done with the encrypted old password > as second paremeter (or it's first 13 chars as it's done when > 'crypt-md5' is used as parameter in this function). > > Hope this is clearer.
Attachment
Watch this ticket

Saved Queries