Mysql password authentication sha-256

[sborne]

Hello,

We have working password auth with MD5 and a mysql backend and are now trying to use SHA-256 to match our password schema but we cannot seem to get it cut over. 

Our setup is on cas 5.0.5

This works

cas.authn.jdbc.query[0].healthQuery=SELECT 1 

cas.authn.jdbc.query[0].sql=SELECT password FROM users WHERE username=?

cas.authn.jdbc.query[0].url=jdbc:mysql://127.0.0.1:3306/castest

cas.authn.jdbc.query[0].leakThreshold=10

cas.authn.jdbc.query[0].batchSize=1

cas.authn.jdbc.query[0].user=root

cas.authn.jdbc.query[0].maxAgeDays=180

cas.authn.jdbc.query[0].password=Password

cas.authn.jdbc.query[0].autocommit=false

cas.authn.jdbc.query[0].driverClass=com.mysql.cj.jdbc.Driver

cas.authn.jdbc.query[0].idleTimeout=5000

cas.authn.jdbc.query[0].passwordEncoder.type=DEFAULT

cas.authn.jdbc.query[0].passwordEncoder.characterEncoding=UTF-8

cas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=MD5 

When I change the auth setup to use sha-256 (cas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=SHA-256) I get -

2017-05-30 17:41:27,473 DEBUG [org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] - <Authentication handlers used for this transaction are [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler@4e0c5518, org.apereo.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler@597bf18e, org.apereo.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler@394b66d0, org.apereo.cas.support.openid.authentication.handler.support.OpenIdCredentialsAuthenticationHandler@6c696197]>

2017-05-30 17:41:27,484 WARN [org.apereo.cas.configuration.support.DefaultPasswordEncoder] - <Using UTF-8 as the character encoding algorithm to update the digest>

2017-05-30 17:41:27,854 DEBUG [org.apereo.cas.configuration.support.DefaultPasswordEncoder] - <Encoded password via algorithm SHA-256 and character-encoding UTF-8 is 5110c4d7158296352949f281d560d0a867351dbc6762a5826c6dc37a970e332d>

2017-05-30 17:41:27,891 WARN [com.zaxxer.hikari.HikariConfig] - <HikariPool-1 - idleTimeout is less than 10000ms, setting to default 600000ms.>

2017-05-30 17:41:27,902 WARN [com.zaxxer.hikari.HikariConfig] - <HikariPool-1 - leakDetectionThreshold is less than 2000ms or more than maxLifetime, disabling it.>

2017-05-30 17:41:30,947 WARN [org.apereo.cas.configuration.support.DefaultPasswordEncoder] - <Using UTF-8 as the character encoding algorithm to update the digest>

2017-05-30 17:41:30,948 DEBUG [org.apereo.cas.configuration.support.DefaultPasswordEncoder] - <Encoded password via algorithm SHA-256 and character-encoding UTF-8 is 5110c4d7158296352949f281d560d0a867351dbc6762a5826c6dc37a970e332d>

2017-05-30 17:41:30,949 DEBUG [org.apereo.cas.configuration.support.DefaultPasswordEncoder] - <Provided password does not match the encoded password>

2017-05-30 17:41:30,951 INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <QueryDatabaseAuthenticationHandler failed authenticating shatest>

2017-05-30 17:41:30,958 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <QueryDatabaseAuthenticationHandler exception details: Password does not match value on record.>

2017-05-30 17:41:30,964 WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [shatest] of type [UsernamePasswordCredential], which suggests a configuration problem.>

That is the correct sha-256 hash from the db which is showing in the logs.

5110c4d7158296352949f281d560d0a867351dbc6762a5826c6dc37a970e332d

I have also tried, with and without salt (we are not using static salt and iterations = 0) the conf below but end up with the same error as above. 

# CAS Authentication

#

#cas.authn.jdbc.encode[0].numberOfIterations=0

# cas.authn.jdbc.encode[0].numberOfIterationsFieldName=hash_iteration

cas.authn.jdbc.encode[0].saltFieldName=salt

cas.authn.jdbc.encode[0].staticSalt=

cas.authn.jdbc.encode[0].sql=select * from users where username=?

cas.authn.jdbc.encode[0].algorithmName=SHA-256

cas.authn.jdbc.encode[0].passwordFieldName=password

cas.authn.jdbc.encode[0].healthQuery=SELECT 1

cas.authn.jdbc.encode[0].isolateInternalQueries=false

cas.authn.jdbc.encode[0].url=jdbc:mysql://127.0.0.1:3306/castest

cas.authn.jdbc.encode[0].failFast=true

cas.authn.jdbc.encode[0].isolationLevelName=ISOLATION_READ_COMMITTED

cas.authn.jdbc.encode[0].leakThreshold=10

cas.authn.jdbc.encode[0].propagationBehaviorName=PROPAGATION_REQUIRED

cas.authn.jdbc.encode[0].batchSize=1

cas.authn.jdbc.encode[0].user=root

cas.authn.jdbc.encode[0].ddlAuto=update

cas.authn.jdbc.encode[0].maxAgeDays=180

cas.authn.jdbc.encode[0].password=PW

cas.authn.jdbc.encode[0].autocommit=false

cas.authn.jdbc.encode[0].driverClass=com.mysql.cj.jdbc.Driver

cas.authn.jdbc.encode[0].idleTimeout=5000

cas.authn.jdbc.encode[0].passwordEncoder.type=DEFAULT

cas.authn.jdbc.encode[0].passwordEncoder.characterEncoding=UTF-8

cas.authn.jdbc.encode[0].passwordEncoder.encodingAlgorithm=SHA-256

I've been Googling this for days now, to no avail.

Any help/hints would be greatly appreciated   

Thanks for looking.

   

[Mr. K]

Hi,

This is what works for us

cas.authn.jdbc.query[0].sql=SELECT u.password AS password FROM cas.user AS u WHERE u.username=?

 cas.authn.jdbc.query[0].healthQuery=SELECT 1

 cas.authn.jdbc.query[0].isolateInternalQueries=false

 cas.authn.jdbc.query[0].url=jdbc:mysql://localhost:3306/cas?useSSL=false

 cas.authn.jdbc.query[0].failFast=true

 cas.authn.jdbc.query[0].isolationLevelName=ISOLATION_READ_COMMITTED

 cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.MySQLDialect

 cas.authn.jdbc.query[0].leakThreshold=10

 cas.authn.jdbc.query[0].propagationBehaviorName=PROPAGATION_REQUIRED

 cas.authn.jdbc.query[0].batchSize=1

 cas.authn.jdbc.query[0].user=root

# cas.authn.jdbc.query[0].ddlAuto=create-drop

 cas.authn.jdbc.query[0].maxAgeDays=180

 cas.authn.jdbc.query[0].password=root

 cas.authn.jdbc.query[0].autocommit=false

 cas.authn.jdbc.query[0].driverClass=com.mysql.cj.jdbc.Driver

 cas.authn.jdbc.query[0].idleTimeout=5000

# cas.authn.jdbc.query[0].credentialCriteria=

 cas.authn.jdbc.query[0].passwordEncoder.type=DEFAULT

 cas.authn.jdbc.query[0].passwordEncoder.characterEncoding=UTF-8

 cas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=SHA-256

 cas.authn.jdbc.query[0].passwordEncoder.secret=

 cas.authn.jdbc.query[0].passwordEncoder.strength=16

Hope that helps

[sborne]

Thanks for the input. We are seeing that work on our side also. The next piece of the puzzle is to get sha-256 with salt pulled from a db column.

Currently, these additions are not working

 

cas.authn.jdbc.encode[0].numberOfIterations=0

cas.authn.jdbc.encode[0].numberOfIterationsFieldName=hash_iteration

cas.authn.jdbc.encode[0].saltFieldName=salt

cas.authn.jdbc.encode[0].staticSalt=

Cheers.