On Wed, Jan 28, 2009 at 5:57 AM, Robert Jones <rjo...@openlinksw.com> wrote: > Leo Soto M. wrote: >> >> On Tue, Jan 27, 2009 at 5:25 PM, Leo Soto M. <leo.s...@gmail.com> wrote: >> >> [...] >> >> >>> >>> By poking at the ODS code, looks like the correct function is: >>> >>> password_hash = SHA1(concat(user_name, pwd_magic_calc(username, >>> password, 1))) >>> >>> But then, what is the definition of pwd_magic_calc? (assuming that the >>> function shown above is correct).
[...] > > Leo, > > The second argument should be the encrypted version of the password, hence > as a further example you can do the following: > > select u_name, pwd_magic_calc(u_name, u_password) from sys_users; > > which decodes the passwords stored in the sys_users table. This you could > combine with your example above to test whether someone has supplied the > correct password. Good, I understand. So, now I'm fairly confident that the hash function the client should use is (written in a general, pseudo-codish way): password_hash = hex_string(sha1(concat(user_name, password))) [Where user_name and password and in clear text -- they are the user-supplied credentials in the user interface] But it would be good to have confirmation of it on the documentation[1] itself, which refers many times to the password_hash but omits the explanation on how to calculate its value. Regards, [1] http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtuosoOdsControllers -- Leo Soto M. http://blog.leosoto.com
