[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2023-03-01 Thread bugzilla-daemon 
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

David Cook  changed:

   What|Removed |Added

   See Also||https://bugs.koha-community
   ||.org/bugzilla3/show_bug.cgi
   ||?id=33114

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2014-06-06 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Jonathan Druart  changed:

   What|Removed |Added

 Blocks||12367

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-10-09 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #97 from Robin Sheat  ---
*** Bug 11013 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-10-07 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Robin Sheat  changed:

   What|Removed |Added

 Blocks||11013

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-10-03 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Galen Charlton  changed:

   What|Removed |Added

 Status|Passed QA   |Pushed to Master
 CC||gmcha...@gmail.com

--- Comment #96 from Galen Charlton  ---
Pushed to master.  Thanks, Srikanth!

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-10-03 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Kyle M Hall  changed:

   What|Removed |Added

 Status|Signed Off  |Passed QA

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-10-03 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Kyle M Hall  changed:

   What|Removed |Added

  Attachment #21777|0   |1
is obsolete||

--- Comment #95 from Kyle M Hall  ---
Created attachment 21796
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21796&action=edit
Bug 9611 - followup to fix POD

Small patch to make koha-qa happy.
Fixes small POD error

Signed-off-by: Bernardo Gonzalez Kriegel 
Signed-off-by: Kyle M Hall 
All patches pass koha-qa.pl, works as advertised!

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-10-03 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Kyle M Hall  changed:

   What|Removed |Added

  Attachment #21776|0   |1
is obsolete||

--- Comment #94 from Kyle M Hall  ---
Created attachment 21795
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21795&action=edit
Bug 9611: Database update, changing password from varchar(30) to varchar(60)

This is necessary because Bcrypt hashes are longer than MD5 hashes.

Signed-off-by: Bernardo Gonzalez Kriegel 
Signed-off-by: Mason James 
Signed-off-by: Galen Charlton 
Signed-off-by: Kyle M Hall 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-10-03 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Kyle M Hall  changed:

   What|Removed |Added

  Attachment #21771|0   |1
is obsolete||

--- Comment #91 from Kyle M Hall  ---
Created attachment 21792
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21792&action=edit
bug_9611: removed md5_base64 from imports - not used

Signed-off-by: Bernardo Gonzalez Kriegel 
Signed-off-by: Kyle M Hall 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-10-03 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Kyle M Hall  changed:

   What|Removed |Added

  Attachment #21775|0   |1
is obsolete||

--- Comment #93 from Kyle M Hall  ---
Created attachment 21794
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21794&action=edit
bug_9611: use checkpw_hash() instead of md5 hash

Test:

* SIP: Have an old user and create a new user
- use either tenet sip test or
  C4/SIP/interactive_patron_check_password.pl to check old
  userid/password
- do the same for the new user

Signed-off-by: Bernardo Gonzalez Kriegel 
Work as described

Test
1) using perl C4/SIP/interactive_patron_check_password.pl
can check current (short) and new (long) passwords

Signed-off-by: Kyle M Hall 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-10-03 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Kyle M Hall  changed:

   What|Removed |Added

  Attachment #21772|0   |1
is obsolete||

--- Comment #92 from Kyle M Hall  ---
Created attachment 21793
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21793&action=edit
bug_9611: use hash_password() and checkpw_* instead of md5 hash

Test:

* LDAP:
- Turn on LDAP auth in koha-config.xml. Sset "update" in your server config to
1
- Change user's password on LDAP
- Login to Koha using LDAP - Koha password should be updated, to check
- Turn off LDAP auth in koha-config.xml
- You should be ble to log in with the new password

I do not have a LDAP facility, so I cheated. I ran
perl -e 'use C4::Auth_with_ldap;
C4::Auth_with_ldap::_do_changepassword("srdjan", 122259, "srdjan");'
and was able to change the password.

Signed-off-by: Bernardo Gonzalez Kriegel 
Work as described.

Test
1) change  to 1
2) copy/paste sample  config from perldoc C4/Auth_with_ldap
3) using sample script was able to change password,
use (userid, borrowernumber, newpass) as arguments
4) checked with OPAC and in database

Signed-off-by: Kyle M Hall 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-10-03 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Kyle M Hall  changed:

   What|Removed |Added

  Attachment #21770|0   |1
is obsolete||

--- Comment #90 from Kyle M Hall  ---
Created attachment 21791
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21791&action=edit
bug_9611: Extracted checkpw_internal() and checkpw_hash() from checkpw()

Signed-off-by: Bernardo Gonzalez Kriegel 
Signed-off-by: Kyle M Hall 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-10-03 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Kyle M Hall  changed:

   What|Removed |Added

  Attachment #21769|0   |1
is obsolete||

--- Comment #89 from Kyle M Hall  ---
Created attachment 21790
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21790&action=edit
Bug 9611: Change the password hashing algorithm from MD5 to Bcrypt

What this patch aims to accomplish?

 * All new passwords are stored as Bcrypt-hashes
 * For password verification:
 - If the user was created before this patch was applied then use
MD5 to hash the entered password <-- backwards compatibility
 - If the user was created after this patch was applied then use
   Bcrypt to hash the entered password
 * Any password change made via the staff interface or the OPAC will
   be automatically Bcrypt-hashed; this applies to old users whose
   passwords were stored as MD5 hashes previously

Test plan:
  1) Add new users and check whether their passwords are stored as
 Bcrypt hashes or not.
  2) To test that authentication works for both old as well as new
 users:
   a) Login as an existing user whose password is stored as a
  MD5 hash
   b) Login as an existing user whose password is stored as a
  Bcrypt hash
  3) In the staff interface, change the password of an existing user
 whose password is stored as an MD5 hash
a) Check the new password is stored as a Bcrypt-hash in the database
b) Try to login with the new password
  4) In the OPAC, verify that
a) Old user with old pass can change password, new format
b) New user with new pass can change password
c) Old and new user with self-updated pass can login

Whitespace cleanup was contributed by  Bernardo Gonzalez Kriegel.

Signed-off-by: Bernardo Gonzalez Kriegel 
Signed-off-by: Mason James 
Signed-off-by: Galen Charlton 
Signed-off-by: Kyle M Hall 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-10-03 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Kyle M Hall  changed:

   What|Removed |Added

  Attachment #21768|0   |1
is obsolete||

--- Comment #88 from Kyle M Hall  ---
Created attachment 21789
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21789&action=edit
Bug 9611: add Crypt::Eksblowfish::Bcrypt to list of Perl dependencies

Signed-off-by: Bernardo Gonzalez Kriegel 
Signed-off-by: Mason James 
Signed-off-by: Galen Charlton 
Signed-off-by: Kyle M Hall 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-10-03 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #78 from Katrin Fischer  ---
Hm, but i messed up attaching the rebased patch, trying again.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-10-03 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #87 from Katrin Fischer  ---
The conflict was in  bug_9611: use hash_password() and checkpw_* instead of md5
hash at the very beginning. I think it was caused by this very recent change:
http://git.koha-community.org/gitweb/?p=koha.git;a=blobdiff;f=C4/Auth_with_ldap.pm;h=0efeb95dca806015fbcbc9f05e7227a9d93138a3;hp=d7a5e9a3cfe588359e2cee593b939fdd00c8900c;hb=561107bb5b348eaa14054e3470f39ff9cf080d22;hpb=7e3f8e0838584a89f3fbdce8e956880de8556d7a

Hoping it's ok :)

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-10-03 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #86 from Katrin Fischer  ---
Created attachment 21777
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21777&action=edit
Bug 9611 - followup to fix POD

Small patch to make koha-qa happy.
Fixes small POD error

Signed-off-by: Bernardo Gonzalez Kriegel 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-10-03 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #84 from Katrin Fischer  ---
Created attachment 21775
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21775&action=edit
bug_9611: use checkpw_hash() instead of md5 hash

Test:

* SIP: Have an old user and create a new user
- use either tenet sip test or
  C4/SIP/interactive_patron_check_password.pl to check old
  userid/password
- do the same for the new user

Signed-off-by: Bernardo Gonzalez Kriegel 
Work as described

Test
1) using perl C4/SIP/interactive_patron_check_password.pl
can check current (short) and new (long) passwords

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-10-03 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #85 from Katrin Fischer  ---
Created attachment 21776
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21776&action=edit
Bug 9611: Database update, changing password from varchar(30) to varchar(60)

This is necessary because Bcrypt hashes are longer than MD5 hashes.

Signed-off-by: Bernardo Gonzalez Kriegel 
Signed-off-by: Mason James 
Signed-off-by: Galen Charlton 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-10-03 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #81 from Katrin Fischer  ---
Created attachment 21770
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21770&action=edit
bug_9611: Extracted checkpw_internal() and checkpw_hash() from checkpw()

Signed-off-by: Bernardo Gonzalez Kriegel 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-10-03 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #82 from Katrin Fischer  ---
Created attachment 21771
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21771&action=edit
bug_9611: removed md5_base64 from imports - not used

Signed-off-by: Bernardo Gonzalez Kriegel 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-10-03 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #83 from Katrin Fischer  ---
Created attachment 21772
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21772&action=edit
bug_9611: use hash_password() and checkpw_* instead of md5 hash

Test:

* LDAP:
- Turn on LDAP auth in koha-config.xml. Sset "update" in your server config to
1
- Change user's password on LDAP
- Login to Koha using LDAP - Koha password should be updated, to check
- Turn off LDAP auth in koha-config.xml
- You should be ble to log in with the new password

I do not have a LDAP facility, so I cheated. I ran
perl -e 'use C4::Auth_with_ldap;
C4::Auth_with_ldap::_do_changepassword("srdjan", 122259, "srdjan");'
and was able to change the password.

Signed-off-by: Bernardo Gonzalez Kriegel 
Work as described.

Test
1) change  to 1
2) copy/paste sample  config from perldoc C4/Auth_with_ldap
3) using sample script was able to change password,
use (userid, borrowernumber, newpass) as arguments
4) checked with OPAC and in database

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-10-03 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #80 from Katrin Fischer  ---
Created attachment 21769
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21769&action=edit
Bug 9611: Change the password hashing algorithm from MD5 to Bcrypt

What this patch aims to accomplish?

 * All new passwords are stored as Bcrypt-hashes
 * For password verification:
 - If the user was created before this patch was applied then use
MD5 to hash the entered password <-- backwards compatibility
 - If the user was created after this patch was applied then use
   Bcrypt to hash the entered password
 * Any password change made via the staff interface or the OPAC will
   be automatically Bcrypt-hashed; this applies to old users whose
   passwords were stored as MD5 hashes previously

Test plan:
  1) Add new users and check whether their passwords are stored as
 Bcrypt hashes or not.
  2) To test that authentication works for both old as well as new
 users:
   a) Login as an existing user whose password is stored as a
  MD5 hash
   b) Login as an existing user whose password is stored as a
  Bcrypt hash
  3) In the staff interface, change the password of an existing user
 whose password is stored as an MD5 hash
a) Check the new password is stored as a Bcrypt-hash in the database
b) Try to login with the new password
  4) In the OPAC, verify that
a) Old user with old pass can change password, new format
b) New user with new pass can change password
c) Old and new user with self-updated pass can login

Whitespace cleanup was contributed by  Bernardo Gonzalez Kriegel.

Signed-off-by: Bernardo Gonzalez Kriegel 
Signed-off-by: Mason James 
Signed-off-by: Galen Charlton 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-10-03 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Katrin Fischer  changed:

   What|Removed |Added

  Attachment #21621|0   |1
is obsolete||
  Attachment #21622|0   |1
is obsolete||
  Attachment #21623|0   |1
is obsolete||
  Attachment #21624|0   |1
is obsolete||
  Attachment #21626|0   |1
is obsolete||
  Attachment #21627|0   |1
is obsolete||
  Attachment #21628|0   |1
is obsolete||
  Attachment #21767|0   |1
is obsolete||

--- Comment #79 from Katrin Fischer  ---
Created attachment 21768
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21768&action=edit
Bug 9611: add Crypt::Eksblowfish::Bcrypt to list of Perl dependencies

Signed-off-by: Bernardo Gonzalez Kriegel 
Signed-off-by: Mason James 
Signed-off-by: Galen Charlton 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-10-03 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Katrin Fischer  changed:

   What|Removed |Added

 CC||katrin.fisc...@bsz-bw.de

--- Comment #77 from Katrin Fischer  ---
Hi Kyle, I think I was able to fix the conflict - It was removing C4::Utils
that has gone into master very recently.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-10-03 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Katrin Fischer  changed:

   What|Removed |Added

  Attachment #21625|0   |1
is obsolete||

--- Comment #76 from Katrin Fischer  ---
Created attachment 21767
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21767&action=edit
bug_9611: Extracted checkpw_internal() and checkpw_hash() from checkpw()

Signed-off-by: Bernardo Gonzalez Kriegel 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-10-03 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Katrin Fischer  changed:

   What|Removed |Added

 Status|Patch doesn't apply |Signed Off

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-10-03 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Kyle M Hall  changed:

   What|Removed |Added

 Status|Signed Off  |Patch doesn't apply

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-09-29 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #75 from Srdjan Jankovic  ---
That's why I prefer testing instructions in the comments rather than in the
commits. Maybe the best way would be to have a separate attachment.
Anyway, by popular demand:

Test plan:
  1) Add new users and check whether their passwords are stored as Bcrypt 
 hashes or not (directly on the database).
  2) To test that authentication works for both old as well as new users:
   a) Login as an existing user whose password is stored as a MD5 hash
   b) Login as an existing user whose password is stored as a Bcrypt hash
  3) In the staff interface, change the password of an existing user
 whose password is stored as an MD5 hash
a) Check the new password is stored as a Bcrypt-hash in the database
b) Try to login with the new password
  4) In the OPAC, verify that
a) Old user with old pass can change password, new format
b) New user with new pass can change password
c) Old and new user with self-updated pass can login
  5) SIP: Have an old user and create a new user
a) use either tenet sip test or C4/SIP/interactive_patron_check_password.pl 
   to check old userid/password
b) do the same for the new user
  6) LDAP:
 - Turn on LDAP auth in koha-config.xml.
 - Set "update" in your server config to 1
a) Change user's password on LDAP
b) Login to Koha using LDAP - Koha password should be updated. To check
   turn off LDAP auth in koha-config.xml. You should be ble to log in with
   the new password

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-09-29 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Bernardo Gonzalez Kriegel  changed:

   What|Removed |Added

 Status|Needs Signoff   |Signed Off

--- Comment #74 from Bernardo Gonzalez Kriegel  ---
Last comment: for QA sake, perhaps you can summarize in a comment all tests
that need to be done.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-09-29 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #73 from Bernardo Gonzalez Kriegel  ---
Created attachment 21628
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21628&action=edit
Bug 9611 - followup to fix POD

Small patch to make koha-qa happy.
Fixes small POD error

Signed-off-by: Bernardo Gonzalez Kriegel 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-09-29 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Bernardo Gonzalez Kriegel  changed:

   What|Removed |Added

  Attachment #21615|0   |1
is obsolete||

--- Comment #72 from Bernardo Gonzalez Kriegel  ---
Created attachment 21627
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21627&action=edit
[SIGNED-OFF] Bug 9611: Database update, changing password from varchar(30) to
varchar(60)

This is necessary because Bcrypt hashes are longer than MD5 hashes.

Signed-off-by: Bernardo Gonzalez Kriegel 
Signed-off-by: Mason James 
Signed-off-by: Galen Charlton 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-09-29 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Bernardo Gonzalez Kriegel  changed:

   What|Removed |Added

  Attachment #21614|0   |1
is obsolete||

--- Comment #71 from Bernardo Gonzalez Kriegel  ---
Created attachment 21626
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21626&action=edit
[SIGNED-OFF] bug_9611: use checkpw_hash() instead of md5 hash

Test:

* SIP: Have an old user and create a new user
- use either tenet sip test or
  C4/SIP/interactive_patron_check_password.pl to check old
  userid/password
- do the same for the new user

Signed-off-by: Bernardo Gonzalez Kriegel 
Work as described

Test
1) using perl C4/SIP/interactive_patron_check_password.pl
can check current (short) and new (long) passwords

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-09-29 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Bernardo Gonzalez Kriegel  changed:

   What|Removed |Added

  Attachment #20624|0   |1
is obsolete||

--- Comment #70 from Bernardo Gonzalez Kriegel  ---
Created attachment 21625
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21625&action=edit
[SIGNED-OFF] bug_9611: use hash_password() and checkpw_* instead of md5 hash

Test:

* LDAP:
- Turn on LDAP auth in koha-config.xml. Sset "update" in your server config to
1
- Change user's password on LDAP
- Login to Koha using LDAP - Koha password should be updated, to check
- Turn off LDAP auth in koha-config.xml
- You should be ble to log in with the new password

I do not have a LDAP facility, so I cheated. I ran
perl -e 'use C4::Auth_with_ldap;
C4::Auth_with_ldap::_do_changepassword("srdjan", 122259, "srdjan");'
and was able to change the password.

Signed-off-by: Bernardo Gonzalez Kriegel 
Work as described.

Test
1) change  to 1
2) copy/paste sample  config from perldoc C4/Auth_with_ldap
3) using sample script was able to change password,
use (userid, borrowernumber, newpass) as arguments
4) checked with OPAC and in database

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-09-29 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Bernardo Gonzalez Kriegel  changed:

   What|Removed |Added

  Attachment #20622|0   |1
is obsolete||

--- Comment #69 from Bernardo Gonzalez Kriegel  ---
Created attachment 21624
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21624&action=edit
[SIGNED-OFF] bug_9611: removed md5_base64 from imports - not used

Signed-off-by: Bernardo Gonzalez Kriegel 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-09-29 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Bernardo Gonzalez Kriegel  changed:

   What|Removed |Added

  Attachment #20578|0   |1
is obsolete||

--- Comment #67 from Bernardo Gonzalez Kriegel  ---
Created attachment 21622
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21622&action=edit
[SIGNED-OFF] Bug 9611: Change the password hashing algorithm from MD5 to Bcrypt

What this patch aims to accomplish?

 * All new passwords are stored as Bcrypt-hashes
 * For password verification:
 - If the user was created before this patch was applied then use
MD5 to hash the entered password <-- backwards compatibility
 - If the user was created after this patch was applied then use
   Bcrypt to hash the entered password
 * Any password change made via the staff interface or the OPAC will
   be automatically Bcrypt-hashed; this applies to old users whose
   passwords were stored as MD5 hashes previously

Test plan:
  1) Add new users and check whether their passwords are stored as
 Bcrypt hashes or not.
  2) To test that authentication works for both old as well as new
 users:
   a) Login as an existing user whose password is stored as a
  MD5 hash
   b) Login as an existing user whose password is stored as a
  Bcrypt hash
  3) In the staff interface, change the password of an existing user
 whose password is stored as an MD5 hash
a) Check the new password is stored as a Bcrypt-hash in the database
b) Try to login with the new password
  4) In the OPAC, verify that
a) Old user with old pass can change password, new format
b) New user with new pass can change password
c) Old and new user with self-updated pass can login

Whitespace cleanup was contributed by  Bernardo Gonzalez Kriegel.

Signed-off-by: Bernardo Gonzalez Kriegel 
Signed-off-by: Mason James 
Signed-off-by: Galen Charlton 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-09-29 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Bernardo Gonzalez Kriegel  changed:

   What|Removed |Added

  Attachment #20621|0   |1
is obsolete||

--- Comment #68 from Bernardo Gonzalez Kriegel  ---
Created attachment 21623
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21623&action=edit
[SIGNED-OFF] bug_9611: Extracted checkpw_internal() and checkpw_hash() from
checkpw()

Signed-off-by: Bernardo Gonzalez Kriegel 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-09-29 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Bernardo Gonzalez Kriegel  changed:

   What|Removed |Added

  Attachment #20255|0   |1
is obsolete||

--- Comment #66 from Bernardo Gonzalez Kriegel  ---
Created attachment 21621
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21621&action=edit
[SIGNED-OFF] Bug 9611: add Crypt::Eksblowfish::Bcrypt to list of Perl
dependencies

Signed-off-by: Bernardo Gonzalez Kriegel 
Signed-off-by: Mason James 
Signed-off-by: Galen Charlton 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-09-29 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #65 from Srdjan Jankovic  ---
 the borrowernumber.
> 
> Well, not so :)
> I need to add  stanza, if not
> 
> perl -e 'use C4::Auth_with_ldap;
> C4::Auth_with_ldap::_do_changepassword("test", 12345, "");'
> No "ldapserver" in server hash from KOHA_CONF:
> /home/bgkriegel/kohadev/etc/koha-conf.xml at
> /home/bgkriegel/kohaclone/C4/Auth_with_ldap.pm line 57,  line 522.
> Compilation failed in require at -e line 1,  line 522.
> BEGIN failed--compilation aborted at -e line 1,  line 522.
> 

Oops, sorry about that, was some time ago, and my memory is perishable
obviously.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-09-29 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #64 from Bernardo Gonzalez Kriegel  ---
(In reply to Srdjan Jankovic from comment #62)
> No, this scripts goes directly to Auth_with_ldap.pm, the purpose was to
> avoid checking the config and doing the LDAP bit so we can test password
> change only without having to connect to an LDAP server.
> 
> > 
> > So, perhaps I'm just doing something wrong, I don't know.
> 
> No, you are doing the right thing, just please check the borrowernumber.

Well, not so :)
I need to add  stanza, if not

perl -e 'use C4::Auth_with_ldap; C4::Auth_with_ldap::_do_changepassword("test",
12345, "");'
No "ldapserver" in server hash from KOHA_CONF:
/home/bgkriegel/kohadev/etc/koha-conf.xml at
/home/bgkriegel/kohaclone/C4/Auth_with_ldap.pm line 57,  line 522.
Compilation failed in require at -e line 1,  line 522.
BEGIN failed--compilation aborted at -e line 1,  line 522.

But my previous problem was not using correct borrowernumber, so it's ready
I'll re-upload all, with a followup to fix a small POD error

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-09-29 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Srdjan Jankovic  changed:

   What|Removed |Added

  Attachment #20254|0   |1
is obsolete||

--- Comment #63 from Srdjan Jankovic  ---
Created attachment 21615
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21615&action=edit
Bug 9611: Database update, changing password from varchar(30) to varchar(60)

This is necessary because Bcrypt hashes are longer than MD5 hashes.

Signed-off-by: Bernardo Gonzalez Kriegel 
Signed-off-by: Mason James 
Signed-off-by: Galen Charlton 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-09-29 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #62 from Srdjan Jankovic  ---

> If I feed 
> perl -e 'use C4::Auth_with_ldap;
> C4::Auth_with_ldap::_do_changepassword("test", 12345, "test");'
> with current password, it returns nothing, and pass is not updated
> 
> If I put a new password, last argument I suppose, then it returns 
> Password mismatch after update to borrowernumber=12345 at
> /home/bgkriegel/kohaclone/C4/Auth_with_ldap.pm line 274,  line 522.
> and pass is not updated
> 

12345 should be the borrowernumber for the user 'test'. Is that the case?

> I enabled ldap changing to 1 1
> and just copy/paste ladp server conf from perldoc. And did this
> because the oneliner do not run if there is no configuration.

No, this scripts goes directly to Auth_with_ldap.pm, the purpose was to avoid
checking the config and doing the LDAP bit so we can test password change only
without having to connect to an LDAP server.

> 
> So, perhaps I'm just doing something wrong, I don't know.

No, you are doing the right thing, just please check the borrowernumber.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-09-29 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Srdjan Jankovic  changed:

   What|Removed |Added

 Status|Patch doesn't apply |Needs Signoff

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-09-29 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Srdjan Jankovic  changed:

   What|Removed |Added

  Attachment #20623|0   |1
is obsolete||

--- Comment #61 from Srdjan Jankovic  ---
Created attachment 21614
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21614&action=edit
bug_9611: use checkpw_hash() instead of md5 hash

Test:

* SIP: Have an old user and create a new user
- use either tenet sip test or
  C4/SIP/interactive_patron_check_password.pl to check old
  userid/password
- do the same for the new user

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-09-28 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

I'm just a bot  changed:

   What|Removed |Added

 Status|Needs Signoff   |Patch doesn't apply
 CC||git...@bugs.koha-community.
   ||org
   When did the bot||2013-09-29
last check this||

--- Comment #60 from I'm just a bot  ---
Applying: bug_9611: use checkpw_hash() instead of md5 hash
Using index info to reconstruct a base tree...
MC4/SIP/ILS/Patron.pm
Falling back to patching base and 3-way merge...
Auto-merging C4/SIP/ILS/Patron.pm
CONFLICT (content): Merge conflict in C4/SIP/ILS/Patron.pm
Patch failed at 0001 bug_9611: use checkpw_hash() instead of md5 hash
The copy of the patch that failed is found in:
   /home/christopher/git/koha/.git/rebase-apply/patch
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-09-28 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #59 from Bernardo Gonzalez Kriegel  ---
(In reply to Robin Sheat from comment #58)
> (In reply to Bernardo Gonzalez Kriegel from comment #57)
> > This part of the cheat I can't replicate. 
> > Could you explain a little more?
> 
> What happens when you try to replicate it? It seems to me like it should
> work, though I haven't tested it myself. 
> 
> It's just loading the module and calling the password changing function
> directly, as a real LDAP auth process would.

If I feed 
perl -e 'use C4::Auth_with_ldap; C4::Auth_with_ldap::_do_changepassword("test",
12345, "test");'
with current password, it returns nothing, and pass is not updated

If I put a new password, last argument I suppose, then it returns 
Password mismatch after update to borrowernumber=12345 at
/home/bgkriegel/kohaclone/C4/Auth_with_ldap.pm line 274,  line 522.
and pass is not updated

I enabled ldap changing to 1 1
and just copy/paste ladp server conf from perldoc. And did this
because the oneliner do not run if there is no configuration.

So, perhaps I'm just doing something wrong, I don't know.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-09-28 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #58 from Robin Sheat  ---
(In reply to Bernardo Gonzalez Kriegel from comment #57)
> This part of the cheat I can't replicate. 
> Could you explain a little more?

What happens when you try to replicate it? It seems to me like it should work,
though I haven't tested it myself. 

It's just loading the module and calling the password changing function
directly, as a real LDAP auth process would.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-09-28 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #57 from Bernardo Gonzalez Kriegel  ---
(In reply to Srdjan Jankovic from comment #55)
> I do not have a LDAP facility, so I cheated. I ran
> perl -e 'use C4::Auth_with_ldap;
> C4::Auth_with_ldap::_do_changepassword("srdjan", 122259, "srdjan");'
> and was able to change the password.

This part of the cheat I can't replicate. 
Could you explain a little more?

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-08-25 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #56 from Srdjan Jankovic  ---
See also http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10781

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-08-25 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #55 from Srdjan Jankovic  ---
Created attachment 20624
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=20624&action=edit
bug_9611: use hash_password() and checkpw_* instead of md5 hash

Test:

* LDAP:
- Turn on LDAP auth in koha-config.xml. Sset "update" in your server config to
1
- Change user's password on LDAP
- Login to Koha using LDAP - Koha password should be updated, to check
- Turn off LDAP auth in koha-config.xml
- You should be ble to log in with the new password

I do not have a LDAP facility, so I cheated. I ran
perl -e 'use C4::Auth_with_ldap;
C4::Auth_with_ldap::_do_changepassword("srdjan", 122259, "srdjan");'
and was able to change the password.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-08-25 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Srdjan Jankovic  changed:

   What|Removed |Added

 Status|ASSIGNED|Needs Signoff

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-08-25 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #54 from Srdjan Jankovic  ---
Created attachment 20623
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=20623&action=edit
bug_9611: use checkpw_hash() instead of md5 hash

Test:

* SIP: Have an old user and create a new user
- use either tenet sip test or
  C4/SIP/interactive_patron_check_password.pl to check old
  userid/password
- do the same for the new user

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-08-25 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #53 from Srdjan Jankovic  ---
Created attachment 20622
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=20622&action=edit
bug_9611: removed md5_base64 from imports - not used

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-08-25 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #52 from Srdjan Jankovic  ---
Created attachment 20621
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=20621&action=edit
bug_9611: Extracted checkpw_internal() and checkpw_hash() from checkpw()

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-08-22 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Srdjan Jankovic  changed:

   What|Removed |Added

  Attachment #20576|0   |1
is obsolete||
  Attachment #20577|0   |1
is obsolete||

--- Comment #51 from Srdjan Jankovic  ---
Created attachment 20578
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=20578&action=edit
Bug 9611: Change the password hashing algorithm from MD5 to Bcrypt

What this patch aims to accomplish?

 * All new passwords are stored as Bcrypt-hashes
 * For password verification:
 - If the user was created before this patch was applied then use
MD5 to hash the entered password <-- backwards compatibility
 - If the user was created after this patch was applied then use
   Bcrypt to hash the entered password
 * Any password change made via the staff interface or the OPAC will
   be automatically Bcrypt-hashed; this applies to old users whose
   passwords were stored as MD5 hashes previously

Test plan:
  1) Add new users and check whether their passwords are stored as
 Bcrypt hashes or not.
  2) To test that authentication works for both old as well as new
 users:
   a) Login as an existing user whose password is stored as a
  MD5 hash
   b) Login as an existing user whose password is stored as a
  Bcrypt hash
  3) In the staff interface, change the password of an existing user
 whose password is stored as an MD5 hash
a) Check the new password is stored as a Bcrypt-hash in the database
b) Try to login with the new password
  4) In the OPAC, verify that
a) Old user with old pass can change password, new format
b) New user with new pass can change password
c) Old and new user with self-updated pass can login

Whitespace cleanup was contributed by  Bernardo Gonzalez Kriegel.

Signed-off-by: Bernardo Gonzalez Kriegel 
Signed-off-by: Mason James 
Signed-off-by: Galen Charlton 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-08-22 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Srdjan Jankovic  changed:

   What|Removed |Added

  Attachment #20253|0   |1
is obsolete||

--- Comment #50 from Srdjan Jankovic  ---
Created attachment 20577
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=20577&action=edit
bug 9611: removing external dependency for password salt generator

To address packaging issues with Crypt::Random::Source, this patch
replaces the salt generation with a wrapper for /dev/urandom and
/dev/random.

The test plan for this patch is the same as that for the base patch
for bug 9611.

Signed-off-by: Galen Charlton 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-08-22 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Srdjan Jankovic  changed:

   What|Removed |Added

  Attachment #20252|0   |1
is obsolete||

--- Comment #49 from Srdjan Jankovic  ---
Created attachment 20576
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=20576&action=edit
Bug 9611: Change the password hashing algorithm from MD5 to Bcrypt

What this patch aims to accomplish?

 * All new passwords are stored as Bcrypt-hashes
 * For password verification:
 - If the user was created before this patch was applied then use
MD5 to hash the entered password <-- backwards compatibility
 - If the user was created after this patch was applied then use
   Bcrypt to hash the entered password
 * Any password change made via the staff interface or the OPAC will
   be automatically Bcrypt-hashed; this applies to old users whose
   passwords were stored as MD5 hashes previously

Test plan:
  1) Add new users and check whether their passwords are stored as
 Bcrypt hashes or not.
  2) To test that authentication works for both old as well as new
 users:
   a) Login as an existing user whose password is stored as a
  MD5 hash
   b) Login as an existing user whose password is stored as a
  Bcrypt hash
  3) In the staff interface, change the password of an existing user
 whose password is stored as an MD5 hash
a) Check the new password is stored as a Bcrypt-hash in the database
b) Try to login with the new password
  4) In the OPAC, verify that
a) Old user with old pass can change password, new format
b) New user with new pass can change password
c) Old and new user with self-updated pass can login

Whitespace cleanup was contributed by  Bernardo Gonzalez Kriegel.

Signed-off-by: Bernardo Gonzalez Kriegel 
Signed-off-by: Mason James 
Signed-off-by: Galen Charlton 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-08-22 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Srdjan Jankovic  changed:

   What|Removed |Added

 CC||srd...@catalyst.net.nz
   Assignee|gmcha...@gmail.com  |srd...@catalyst.net.nz

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-08-09 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Galen Charlton  changed:

   What|Removed |Added

 Status|Needs Signoff   |ASSIGNED

--- Comment #47 from Galen Charlton  ---
I've squashed the patch series into a set of four that reduce the flapping
while retaining author attribution, and have signed off on them.

I am not, however, setting this bug to signed off, but to assigned.  This is
because patron records using the new hash would be unable to authenticate using
SIP or ILS-DI.  Note that the following files are using md5_base64 exclusive
when comparing hashes:

C4/SIP/ILS/Patron.pm
C4/ILSDI/Utility.pm

Also, although of less import, C4/Auth_with_ldap.pm isn't using the new hashing
style either when caching the password.

Consequently, follow-ups are needed.  I may poke at this some more this
weekend, but the field is free if anybody else wants to work on it.

I'm inclined to think that it may be time to get started on a Koha::Auth
module, if only for the initial reason of creating a home for a single password
verification routine.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-08-09 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #48 from Galen Charlton  ---
Also, just to raise the inevitable question: do we care about the portability
issues of using /dev/random and /dev/urandom?

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-08-09 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #44 from Galen Charlton  ---
Created attachment 20253
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=20253&action=edit
bug 9611: removing external dependency for password salt generator

To address packaging issues with Crypt::Random::Source, this patch
replaces the salt generation with a wrapper for /dev/urandom and
/dev/random.

The test plan for this patch is the same as that for the base patch
for bug 9611.

Signed-off-by: Galen Charlton 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-08-09 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Galen Charlton  changed:

   What|Removed |Added

  Attachment #15518|0   |1
is obsolete||
  Attachment #15520|0   |1
is obsolete||
  Attachment #15521|0   |1
is obsolete||
  Attachment #15522|0   |1
is obsolete||
  Attachment #17203|0   |1
is obsolete||
  Attachment #17204|0   |1
is obsolete||

--- Comment #43 from Galen Charlton  ---
Created attachment 20252
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=20252&action=edit
Bug 9611: Change the password hashing algorithm from MD5 to Bcrypt

What this patch aims to accomplish?

 * All new passwords are stored as Bcrypt-hashes
 * For password verification:
 - If the user was created before this patch was applied then use
MD5 to hash the entered password <-- backwards compatibility
 - If the user was created after this patch was applied then use
   Bcrypt to hash the entered password
 * Any password change made via the staff interface or the OPAC will
   be automatically Bcrypt-hashed; this applies to old users whose
   passwords were stored as MD5 hashes previously

Test plan:
  1) Add new users and check whether their passwords are stored as
 Bcrypt hashes or not.
  2) To test that authentication works for both old as well as new
 users:
   a) Login as an existing user whose password is stored as a
  MD5 hash
   b) Login as an existing user whose password is stored as a
  Bcrypt hash
  3) In the staff interface, change the password of an existing user
 whose password is stored as an MD5 hash
a) Check the new password is stored as a Bcrypt-hash in the database
b) Try to login with the new password
  4) In the OPAC, verify that
a) Old user with old pass can change password, new format
b) New user with new pass can change password
c) Old and new user with self-updated pass can login

Whitespace cleanup was contributed by  Bernardo Gonzalez Kriegel.

Signed-off-by: Bernardo Gonzalez Kriegel 
Signed-off-by: Mason James 
Signed-off-by: Galen Charlton 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-08-09 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #46 from Galen Charlton  ---
Created attachment 20255
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=20255&action=edit
Bug 9611: add Crypt::Eksblowfish::Bcrypt to list of Perl dependencies

Signed-off-by: Bernardo Gonzalez Kriegel 
Signed-off-by: Mason James 
Signed-off-by: Galen Charlton 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-08-09 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Galen Charlton  changed:

   What|Removed |Added

   Patch complexity|--- |Medium patch

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-08-09 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #45 from Galen Charlton  ---
Created attachment 20254
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=20254&action=edit
Bug 9611: Database update, changing password from varchar(30) to varchar(60)

This is necessary because Bcrypt hashes are longer than MD5 hashes.

Signed-off-by: Bernardo Gonzalez Kriegel 
Signed-off-by: Mason James 
Signed-off-by: Galen Charlton 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-05-28 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Chris Hall  changed:

   What|Removed |Added

 Status|Failed QA   |Needs Signoff

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-04-04 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #42 from Chris Hall  ---
Created attachment 17204
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=17204&action=edit
Removing external dependency for password salting

I have written a wrapper around /dev/urandom and /dev/random that will give
back a specified number of bytes salting purposes, however this can be used
anytime a pseudo-random number is needed within Koha.

/dev/urandom should be sufficient for password general salting, /dev/random is
more suited when higher entropy is needed (if we ever use server salts).

This patch removes the Crypt::Random::Source dependency that was mentioned in
the 'Updating dependencies' patch, it may be useful to squash this patch set
down but I did not do so as I didn't want to remove authorship details.


Testplan:
In current master (before applying this patch) create a new user.

Login to the koha mysql database (sudo koha-mysql instance) and run the
following query:
select userid, password from borrowers where userid='username';

The output should be something like:
patron | vdpWxEZTtVVPhZSAq1NIMw

Apply the patch series on this bug

Change the users password from within koha (for testing it is fine to change it
to the same password)

Run the above query again and observe the output:
patron   | $2a$08$U93rGVfvcV0YUNhJY.so3OkNL46bGBrIR3ugyskXLIJY5aMD8ENme

Notice that the new password is longer, but also that all passwords generated
by this patch series should begin with '$2a$08$'.

If we change the password again in the interface to the same password and run
out database query again, we should get a different value in the password field
(although it will still have the '$2a$08$' prefix).

Attempt to login as the user using the password you just set.


This patch series fails if any of the following occur:
  you cannot change a password
  you cannot login
  the new passwords (viewing them from within the database) do not start with
"$2a$08$"
  changing the password twice to the same value (say, "testing") results in the
same password value being stored in the database

Otherwise it is a pass.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-04-04 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Chris Hall  changed:

   What|Removed |Added

  Attachment #15519|0   |1
is obsolete||

--- Comment #41 from Chris Hall  ---
Created attachment 17203
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=17203&action=edit
Database update, changing password from varchar(30) to varchar(60)

Attached is the second patch rebased so that it will apply cleanly against
current master.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-04-04 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Chris Hall  changed:

   What|Removed |Added

 CC||chr...@catalyst.net.nz

--- Comment #40 from Chris Hall  ---
Hey Mason

http://deps.cpantesters.org/?module=Bytes::Random::Secure

Correct me if I am wrong, but a quick glance suggests we would have to package
bytes::random::secure, scalar::util, Crypt::random::seed, Crypt::random::tesha2
and maybe some of their dependencies.

The closest thing I could find that was also in squeeze was
crypt::openssl::random, but as this requires a decent seed (so that we get
unique values).
I was going to use /dev/urandom for the seed value, however this also suffices
for use as a salt so I just cut out the middleman.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-04-02 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #39 from Mason James  ---
(In reply to comment #37)
> (In reply to comment #35)
> > (In reply to comment #34)
> > > Ahh in that case I suspect we want a better random generator.
> > 
> > I think so.
> 
> hmm, how about Crypt::Random::TESHA2? 
> it's a minimal and portable module 

hmmm, Bytes::Random::Secure looks even better...

"Prior to version 0.20, a heavy dependency chain was required for reliably and
securely seeding the ISAAC generator. Earlier versions required
Crypt::Random::Source, which in turn required Any::Moose. 

Thanks to Dana Jacobsen's new Crypt::Random::Seed module, this situation has
been resolved. So if you're looking for a secure random bytes solution that
"just works" portably, and on Perl versions as far back as 5.6.0, you've come
to the right place."

http://search.cpan.org/~davido/Bytes-Random-Secure-0.25/lib/Bytes/Random/Secure.pm

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-04-02 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #38 from Robin Sheat  ---
> This module implements userspace voodoo entropy. You should use a proper O/S 
> supplied entropy source such as /dev/random or the Win32 Crypt API.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-04-02 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #37 from Mason James  ---
(In reply to comment #35)
> (In reply to comment #34)
> > Ahh in that case I suspect we want a better random generator.
> 
> I think so.

hmm, how about Crypt::Random::TESHA2? 

it's a minimal and portable module 
http://search.cpan.org/~danaj/Crypt-Random-TESHA2-0.01/lib/Crypt/Random/TESHA2.pm

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-02-24 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #36 from Robin Sheat  ---
A very perfunctory search didn't find anything suitable as a replacement. Are
the problematic circumstances the sort of thing that we're likely to encounter?
If so, then we'll have to find something else of course. However, there won't
be too many that are very pluggable like this is. I suppose we could be OK
using a pseudo-random source for salts if push came to shove.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-02-24 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Jared Camins-Esakov  changed:

   What|Removed |Added

 Status|Passed QA   |Failed QA

--- Comment #35 from Jared Camins-Esakov  ---
(In reply to comment #34)
> Ahh in that case I suspect we want a better random generator.

I think so.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-02-21 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #34 from Chris Cormack  ---
Ahh in that case I suspect we want a better random generator.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-02-20 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #33 from Jared Camins-Esakov  ---
(In reply to comment #32)
> Where did you see Any::Moose? In one of the cpan modules ?

It's required by Crypt::Random::Source.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-02-20 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #32 from Chris Cormack  ---
Where did you see Any::Moose? In one of the cpan modules ?

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-02-20 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #31 from Jared Camins-Esakov  ---
I have a question about the use of Any::Moose. I know in some circumstances
there can be a conflict between Any::Moose and direct Moose/Mouse loads. Is
that a concern here between this and the Solr code?

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-02-18 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #30 from Mason James  ---
(In reply to comment #29)
> passing-QA on these 5 patches...

ps: sorry about the multiple attempts to upload my signed-of patches, 

i just worked out how to git-bz-attach a rangle of commits

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-02-18 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Mason James  changed:

   What|Removed |Added

 Status|Signed Off  |Passed QA
 CC||m...@kohaaloha.com

--- Comment #29 from Mason James  ---
passing-QA on these 5 patches...

i've tested these, and they work as stated. 

awesome patch Srikanth, well done everyone

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-02-18 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #27 from Mason James  ---
Created attachment 15521
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=15521&action=edit
Bug 9611 - Changing the OPAC password hashing algorithm from MD5 to Bcrypt

Signed-off-by: Bernardo Gonzalez Kriegel 

Comment: Work as described. No errors

Test:
1) Old user with old pass can change password, new format
2) New user with new pass can change password
3) Old and new user with self-updated pass can login
Signed-off-by: Mason James 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-02-18 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #26 from Mason James  ---
Created attachment 15520
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=15520&action=edit
Bug 9611 : Updating dependencies

Signed-off-by: Bernardo Gonzalez Kriegel 

No comment.
Signed-off-by: Mason James 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-02-18 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #28 from Mason James  ---
Created attachment 15522
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=15522&action=edit
Followup Bug 9611 - Changing the password hashing algorithm

Fixes tabulations

Signed-off-by: Mason James 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-02-18 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #25 from Mason James  ---
Created attachment 15519
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=15519&action=edit
Bug 9611 : Database update, changing password from varchar(30) to varchar(60)

Signed-off-by: Bernardo Gonzalez Kriegel 

Comment: Fixed small mering conflict.
Signed-off-by: Mason James 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-02-18 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Mason James  changed:

   What|Removed |Added

  Attachment #15517|0   |1
is obsolete||

--- Comment #24 from Mason James  ---
Created attachment 15518
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=15518&action=edit
Bug 9611 - Changing the hashing algorithm from MD5 to Bcrypt

What this patch aims to accomplish?

 * All new passwords are stored as Bcrypt-hashes

 * For password verification:

 - If the user was created before this patch was applied then use MD5 to
hash the entered password <-- backwards compatibility

 - If the user was created after this patch was applied then use Bcrypt to
hash the entered password

 * Any password change will be automatically Bcrypt-hashed, this applies to old
members whose passwords were stored as MD5 hashes previously

Test plan:

  1) Add new users and check whether their passwords are stored as Bcrypt
hashes or not

  2) To test that authentication works for both old as well as new members

   a) Login as an existing user whose password is stored as a MD5 hash

   b) Login as an existing user whose password is stored as a Bcrypt hash

  3) Change the password of an existing member whose password is stored as an
MD5 hash

a) Check the new password is stored as a Bcrypt-hash in the database

b) Try to login with the new password

Signed-off-by: Bernardo Gonzalez Kriegel 

Comment: Work as described. Small tabulation errors fixed in followup.

Test with patches 1-3 applied, run updatedatabase
1) Old user can login
2) New user can login
3) User with updated password can login
4) Inspection of DB shows different passwords length
Signed-off-by: Mason James 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-02-18 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Mason James  changed:

   What|Removed |Added

  Attachment #15507|0   |1
is obsolete||
  Attachment #15508|0   |1
is obsolete||
  Attachment #15510|0   |1
is obsolete||
  Attachment #15514|0   |1
is obsolete||
  Attachment #15515|0   |1
is obsolete||
  Attachment #15516|0   |1
is obsolete||

--- Comment #23 from Mason James  ---
Created attachment 15517
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=15517&action=edit
Bug 9611 - Changing the hashing algorithm from MD5 to Bcrypt

What this patch aims to accomplish?

 * All new passwords are stored as Bcrypt-hashes

 * For password verification:

 - If the user was created before this patch was applied then use MD5 to
hash the entered password <-- backwards compatibility

 - If the user was created after this patch was applied then use Bcrypt to
hash the entered password

 * Any password change will be automatically Bcrypt-hashed, this applies to old
members whose passwords were stored as MD5 hashes previously

Test plan:

  1) Add new users and check whether their passwords are stored as Bcrypt
hashes or not

  2) To test that authentication works for both old as well as new members

   a) Login as an existing user whose password is stored as a MD5 hash

   b) Login as an existing user whose password is stored as a Bcrypt hash

  3) Change the password of an existing member whose password is stored as an
MD5 hash

a) Check the new password is stored as a Bcrypt-hash in the database

b) Try to login with the new password

Signed-off-by: Bernardo Gonzalez Kriegel 

Comment: Work as described. Small tabulation errors fixed in followup.

Test with patches 1-3 applied, run updatedatabase
1) Old user can login
2) New user can login
3) User with updated password can login
4) Inspection of DB shows different passwords length
Signed-off-by: Mason James 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-02-18 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #22 from Mason James  ---
Created attachment 15516
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=15516&action=edit
Followup Bug 9611 - Changing the password hashing algorithm

Fixes tabulations

Signed-off-by: Mason James 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-02-18 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Mason James  changed:

   What|Removed |Added

  Attachment #15509|0   |1
is obsolete||

--- Comment #21 from Mason James  ---
Created attachment 15515
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=15515&action=edit
Bug 9611 : Updating dependencies

Signed-off-by: Bernardo Gonzalez Kriegel 

No comment.
Signed-off-by: Mason James 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-02-18 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Mason James  changed:

   What|Removed |Added

  Attachment #15506|0   |1
is obsolete||

--- Comment #20 from Mason James  ---
Created attachment 15514
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=15514&action=edit
Bug 9611 - Changing the hashing algorithm from MD5 to Bcrypt

What this patch aims to accomplish?

 * All new passwords are stored as Bcrypt-hashes

 * For password verification:

 - If the user was created before this patch was applied then use MD5 to
hash the entered password <-- backwards compatibility

 - If the user was created after this patch was applied then use Bcrypt to
hash the entered password

 * Any password change will be automatically Bcrypt-hashed, this applies to old
members whose passwords were stored as MD5 hashes previously

Test plan:

  1) Add new users and check whether their passwords are stored as Bcrypt
hashes or not

  2) To test that authentication works for both old as well as new members

   a) Login as an existing user whose password is stored as a MD5 hash

   b) Login as an existing user whose password is stored as a Bcrypt hash

  3) Change the password of an existing member whose password is stored as an
MD5 hash

a) Check the new password is stored as a Bcrypt-hash in the database

b) Try to login with the new password

Signed-off-by: Bernardo Gonzalez Kriegel 

Comment: Work as described. Small tabulation errors fixed in followup.

Test with patches 1-3 applied, run updatedatabase
1) Old user can login
2) New user can login
3) User with updated password can login
4) Inspection of DB shows different passwords length
Signed-off-by: Mason James 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-02-18 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Bernardo Gonzalez Kriegel  changed:

   What|Removed |Added

 Status|Needs Signoff   |Signed Off

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-02-18 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #19 from Bernardo Gonzalez Kriegel  ---
Created attachment 15510
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=15510&action=edit
Followup Bug 9611 - Changing the password hashing algorithm

Fixes tabulations

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-02-18 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Bernardo Gonzalez Kriegel  changed:

   What|Removed |Added

  Attachment #15505|0   |1
is obsolete||

--- Comment #18 from Bernardo Gonzalez Kriegel  ---
Created attachment 15509
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=15509&action=edit
[SIGNED-OFF] Bug 9611 - Changing the OPAC password hashing algorithm from MD5
to Bcrypt

Signed-off-by: Bernardo Gonzalez Kriegel 

Comment: Work as described. No errors

Test:
1) Old user with old pass can change password, new format
2) New user with new pass can change password
3) Old and new user with self-updated pass can login

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-02-18 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Bernardo Gonzalez Kriegel  changed:

   What|Removed |Added

  Attachment #15429|0   |1
is obsolete||

--- Comment #17 from Bernardo Gonzalez Kriegel  ---
Created attachment 15508
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=15508&action=edit
[SIGNED-OFF] Bug 9611 : Updating dependencies

Signed-off-by: Bernardo Gonzalez Kriegel 

No comment.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-02-18 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Bernardo Gonzalez Kriegel  changed:

   What|Removed |Added

  Attachment #15427|0   |1
is obsolete||

--- Comment #16 from Bernardo Gonzalez Kriegel  ---
Created attachment 15507
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=15507&action=edit
[SIGNED-OFF] Bug 9611 : Database update, changing password from varchar(30) to
varchar(60)

Signed-off-by: Bernardo Gonzalez Kriegel 

Comment: Fixed small mering conflict.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-02-18 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Bernardo Gonzalez Kriegel  changed:

   What|Removed |Added

  Attachment #15311|0   |1
is obsolete||

--- Comment #15 from Bernardo Gonzalez Kriegel  ---
Created attachment 15506
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=15506&action=edit
[SIGNED-OFF] Bug 9611 - Changing the hashing algorithm from MD5 to Bcrypt

What this patch aims to accomplish?

 * All new passwords are stored as Bcrypt-hashes

 * For password verification:

 - If the user was created before this patch was applied then use MD5 to
hash the entered password <-- backwards compatibility

 - If the user was created after this patch was applied then use Bcrypt to
hash the entered password

 * Any password change will be automatically Bcrypt-hashed, this applies to old
members whose passwords were stored as MD5 hashes previously

Test plan:

  1) Add new users and check whether their passwords are stored as Bcrypt
hashes or not

  2) To test that authentication works for both old as well as new members

   a) Login as an existing user whose password is stored as a MD5 hash

   b) Login as an existing user whose password is stored as a Bcrypt hash

  3) Change the password of an existing member whose password is stored as an
MD5 hash

a) Check the new password is stored as a Bcrypt-hash in the database

b) Try to login with the new password

Signed-off-by: Bernardo Gonzalez Kriegel 

Comment: Work as described. Small tabulation errors fixed in followup.

Test with patches 1-3 applied, run updatedatabase
1) Old user can login
2) New user can login
3) User with updated password can login
4) Inspection of DB shows different passwords length

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-02-18 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #14 from Srikanth Dhondi  ---
Created attachment 15505
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=15505&action=edit
Bug 9611 - Changing the OPAC password hashing algorithm from MD5 to Bcrypt

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-02-16 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #13 from Bernardo Gonzalez Kriegel  ---
Good job!

1) All current (3) patches applied, run updatedatabase
2) Old user with old password can login
3) Old user with updated password can login
4) New user with new password can login

Login tested on OPAC and STAFF.
All works, no errors.

Pending OPAC password change.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-02-16 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Chris Cormack  changed:

   What|Removed |Added

 Status|Failed QA   |Needs Signoff

--- Comment #12 from Chris Cormack  ---
Patch to change OPAC to follow, the others can be tested though

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-02-16 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Chris Cormack  changed:

   What|Removed |Added

  Attachment #15428|0   |1
is obsolete||

--- Comment #11 from Chris Cormack  ---
Created attachment 15429
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=15429&action=edit
Bug 9611 : Updating dependencies

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

2013-02-16 Thread bugzilla-daemon 
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #10 from Chris Cormack  ---
Created attachment 15428
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=15428&action=edit
Bug 9611 : Updating dependencies

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

  1   2   >