Dokuwiki: Authpdo can't login with SHA512 hash

Created on 13 Dec 2018  路  7Comments  路  Source: splitbrain/dokuwiki

I try to login with authpdo and sha512, but as a result I see wrong username or password. Passwords in database stored as sha512 hash (starts with $6$round-3000$salt$ ). If I manually change password hash to smd5 ($1$....) in database and change config as

$conf[' authtype'] = 'authpdo'; 
$conf['passcrypt']   = 'smd5';  

I am able to login.
DokuWiki 2018-04-22a "Greebo"
PHP Version 5.6.38

Most helpful comment

To clarify: the $conf['passcrypt'] option is irrelevant when checking passwords. It is only used when generating new passwords. When checking, the hash from the auth backend is used to determine the method it was created with. This method is then used to create the comparison hash.

Out testsuite has an example of how we expect a sha512 hash to look like: https://github.com/splitbrain/dokuwiki/blob/cbaf278c50e5baf946b3bd606c369735fe0953be/_test/tests/inc/auth_password.test.php#L32

Can you give an example of a hash of a known password in your database?

All 7 comments

This is intended. Password is compared to the database after hash is computed at DokuWiki first, regardless of what is stored in your database. How password is hashed depends on $conf['passcrypt'] and inc/PassHash.class.php; it's not currently using PHP's hash format ($6$round-3000$salt$ vs $6$salt$).

https://github.com/splitbrain/dokuwiki/blob/cbaf278c50e5baf946b3bd606c369735fe0953be/inc/PassHash.class.php#L547-L564

TL;DR Your sha512 hash format is not compatible with DokuWiki's.

To clarify: the $conf['passcrypt'] option is irrelevant when checking passwords. It is only used when generating new passwords. When checking, the hash from the auth backend is used to determine the method it was created with. This method is then used to create the comparison hash.

Out testsuite has an example of how we expect a sha512 hash to look like: https://github.com/splitbrain/dokuwiki/blob/cbaf278c50e5baf946b3bd606c369735fe0953be/_test/tests/inc/auth_password.test.php#L32

Can you give an example of a hash of a known password in your database?

Password: Qwerty123
Hash: $6$rounds=3000$9in6UciYPFG6ydsJ$YBjypQ7XoRqvJoX1a2.spSysSVHcdreVXi1Xh5SyOxo2yNSxDjlUCun2YXrwk9.YP6vmRvCWrhp0fbPgSOT7..

Yeah okay. The rounds parameter in there is not supported by DokuWiki. What kind of system is creating those hashes?

Phpipam v.1.3.2 creates such hashes.

Is it possible to add rounds parameter support?

pr welcome

Was this page helpful?
0 / 5 - 0 ratings

Related issues

benbrunner picture benbrunner  路  6Comments

michitux picture michitux  路  5Comments

chang-zhao picture chang-zhao  路  4Comments

Michaelsy picture Michaelsy  路  4Comments

splitbrain picture splitbrain  路  4Comments