What Linux distro are you running?
Mageia 3 (fork of former Mandriva, RHEL derivative), the OS is as
up-to-date as our Trac installation...
What does the following yield on your system?>>> from passlib.apps import custom_app_context as passlib_ctxt
>>> passlib_ctxt.policy.schemes()
['sha512_crypt', 'sha256_crypt']
Seems to be a dead-end because passlib was not installed when we
initially moved to AccountManager to handle the server
authentication.
Anyway, I have installed passlib-1.7.1 and I got what we could
expect:
- Ryan
For my part, I was able to reset my user password from the
administration interface without problem.
Also I realized that the login module crashes in all cases (void,
wrong or temporary password from email) except of course the good
one from the hash passwords file.
Nicolas
What does the following yield on your system?>>> from passlib.apps import custom_app_context as passlib_ctxt
>>> passlib_ctxt.policy.schemes()
['sha512_crypt', 'sha256_crypt']Seems to be a dead-end because passlib was not installed when we initially moved to AccountManager to handle the server authentication.
$ python
Anyway, I have installed passlib-1.7.1 and I got what we could expect:
Python 2.7.6 (default, Mar 18 2014, 22:18:46)
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from passlib.apps import custom_app_context as passlib_ctxt
>>> passlib_ctxt.policy.schemes()
['sha512_crypt', 'sha256_crypt']
This class will use the first available of two possible backends:
stdlib crypt(), if the host OS supports SHA256-Crypt (most Linux systems).
a pure python implementation of SHA256-Crypt built into Passlib
For my part, I was able to reset my user password from the administration interface without problem.
Also I realized that the login module crashes in all cases (void, wrong or temporary password from email) except of course the good one from the hash passwords file.
Nicolas
There are multiple problems with password reset. AccountManager hasn't been fully adapted to account for username caching in Trac 1.0.2+.- Ryan
On Tuesday, September 5, 2017 at 1:29:38 PM UTC-7, Nicolas MARTIN wrote:What does the following yield on your system?>>> from passlib.apps import custom_app_context as passlib_ctxt
>>> passlib_ctxt.policy.schemes()
['sha512_crypt', 'sha256_crypt']Seems to be a dead-end because passlib was not installed when we initially moved to AccountManager to handle the server authentication.
$ python
Anyway, I have installed passlib-1.7.1 and I got what we could expect:
Python 2.7.6 (default, Mar 18 2014, 22:18:46)
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from passlib.apps import custom_app_context as passlib_ctxt
>>> passlib_ctxt.policy.schemes()
['sha512_crypt', 'sha256_crypt']
We needed to be sure that the hashing algorithms are available on your system:
$ python
Python 2.7.6 (default, Mar 18 2014, 22:18:46)
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more
information.
>>> from passlib.hash import sha256_crypt
>>> hash = sha256_crypt.hash("password")
>>> hash
'$5$rounds=535000$9a9Y6OmJzEwN0hcM$VmN.XKy2IezFueRtMYxuDx8FLizvzVLlcpCXzoOFjM9'
>>> sha256_crypt.using(rounds=12345).hash("password")
'$5$rounds=12345$3GW9pFS/06AYchFb$nDYB5uiDrsiD7XHxbeUVpHHGvm.SUrPMPVIVYBto/Q.'
>>> sha256_crypt.verify("password", hash)
True
>>> sha256_crypt.verify("letmein", hash)
False
>>> from passlib.hash import sha512_crypt
>>> hash = sha512_crypt.hash("password")
>>> hash
'$6$rounds=656000$0EDxNq0bt17MlHHU$81oKrH4iCIg7q3hpBLatjrUxcKSXVue.srBcU98TA6LWo2LKklAxMeOeuxwLT82AKo7Ti2oSHDe8VQp6Tfn14/'
>>> sha512_crypt.using(rounds=12345).hash("password")
'$6$rounds=12345$ouWDfvOA6Ur6feP1$pfnUTWUHaIbvRXTmju1F1zZ/MzuNOFVIyu8yTUYkDltlI.46GFH/DfQtYlZjrrr2Xh3B.eysNI7oZiJxKDEVS0'
>>> sha512_crypt.verify("password", hash)
True
>>> sha512_crypt.verify("letmein", hash)
False
This class will use the first available of two possible backends:
stdlib crypt(), if the host OS supports SHA256-Crypt (most Linux systems).
a pure python implementation of SHA256-Crypt built into Passlib
Take a look at the code and there are only about 3 conditions that would lead to not taking the desired branch:
From the information we have the hashes must not have the proper prefix.
$ grep -o ':\$[^$]*' ~/auth/trac.passwd | sort | uniq -c
1428 :$1
182 :$6
3 :$apr1
'$1' hash passwords are from the previous process with Apache authentication, '$apr1' few testing accounts before we realized with the server administrator that the default hash type 'apr_md5_crypt' will not work to access our SVN repository controlled by a Perl script with crypt() function. Thus we set the hash type to sha512 so '$6' represents new or updated passwords.
I still have a backup of my passwords file just before the switch with all former '$1' hash passwords. Just in case...
$ grep -o ':\$[^$]*' ~/auth/save/trac.passwd.save | sort | uniq
-c
1598 :$1
From the information we have the hashes must not have the proper prefix.
$ grep -o ':\$[^$]*' ~/auth/trac.passwd | sort | uniq -c
1428 :$1
182 :$6
3 :$apr1
'$1' hash passwords are from the previous process with Apache authentication, '$apr1' few testing accounts before we realized with the server administrator that the default hash type 'apr_md5_crypt' will not work to access our SVN repository controlled by a Perl script with crypt() function. Thus we set the hash type to sha512 so '$6' represents new or updated passwords.
I still have a backup of my passwords file just before the switch with all former '$1' hash passwords. Just in case...
$ grep -o ':\$[^$]*' ~/auth/save/trac.passwd.save | sort | uniq -c
1598 :$1
I've modified pwhash.py but I'm still faced the issue.
Now I'm trying to analyse this in a different way, to see why the procedure doesn't work now (changes in Trac or the server) or if the problem dates back to the authentication switch. In particular, I found that most of the 'password_reset' entries for newly accounts are still in the 'session_attribute' SQL datatable. Would they not have been removed after the first connection with the personalized password ?
The situation is a bit critical because I still can create an account but for me I have no more a secure way to transmit the access. Any hint ?
Nicolas
I've modified pwhash.py but I'm still faced the issue.
Now I'm trying to analyse this in a different way, to see why the procedure doesn't work now (changes in Trac or the server) or if the problem dates back to the authentication switch. In particular, I found that most of the 'password_reset' entries for newly accounts are still in the 'session_attribute' SQL datatable. Would they not have been removed after the first connection with the personalized password ?
The situation is a bit critical because I still can create an account but for me I have no more a secure way to transmit the access. Any hint ?