Password Hash Type in ICAT

99 views
Skip to first unread message

Florian Goessmann

unread,
Oct 8, 2009, 12:23:49 AM10/8/09
to irod...@googlegroups.com
Hi All

We are working on an account management for our iRODS setup that is
external to iRODS itself. In order to store user's passwords in this
system and allow them to change it, we need to know what hash type is
being used by iRODS to create the password hash stored in the ICAT.
Can anyone advise on this?

cheers
Florian

==========================================================
Florian Goessmann
----------------------------------------------------------
Manager, ARCS Data Services
"Providing collaboration services and tools for the Australian
research community"

PO Box 201 CARLTON South
Victoria, 3053
Australia

Phone: +61 8 6436 8835
Mobile: +61 4 3517 5033
Fax: +61 8 6436 8555
Email: florian....@arcs.org.au
Jabber: florian....@arcs.org.au
Calendar: http://hdl.handle.net/102.100.100/19
www: http://www.arcs.org.au
----------------------------------------------------------
iVEC, 'The hub of advanced computing in Western Australia'
26 Dick Perry Avenue, Technology Park
Kensington WA 6151
Australia

Email: flo...@ivec.org
Jabber: flo...@jabber.ivec.org
www: http://www.ivec.org


schr...@diceresearch.org

unread,
Oct 8, 2009, 11:54:18 AM10/8/09
to irod...@googlegroups.com
Hi Florian,

iRODS system uses the MD5 hash for secure password authentication; the
response is created by taking the challenge appended with the user's
password, and calculating the MD5 hash of that combination. The result
is proof that the client has access to the user's password without
revealing anything on the network that could be used to fake it (the
challenge is different each time).

For the passwords stored in the ICAT, like those stored in the user's
scrambled authentication file, we use our own custom scrambling
algorithm. We chose not to use actual encryption to avoid U.S. export
control restrictions and also because even encryption would not be
completely safe (the iRODS server would need to have the key available).
Using our own (obscure) scrambling algorithm may make it a little more
secure.

For 'ipasswd' and 'iadmin moduser Username password' the new password is
scrambled and then transferred on the network, then unscrambled by the
ICAT-enabled server, re-scrambled with another 'key', and then stored
into the ICAT DB.

See the icatScramble function in icatHighLevelRoutines.c to see how the
ICAT user-password scrambling is done. icatScramble will optionally use
a site-configured scramble key and calls the obfEncodeByKey function.
All the obf (obfuscation (scrambling)) functions are in the
lib/core/src/obf.c source file.

'iadmin dspass' will descramble a password for the admin via a call to
obfDecodeByKey

There is a comment block at the top of obf.c that describes the
functions some. The obfEncodeByKey and odfDecodeByKey actually use MD5
as part of the algorithm. But that hash is just used for indexes in a
rotation wheel on the characters (to keep the character set used
intact). It's all pretty fast and efficient.

Let me know if you have any other questions.

- Wayne -

Graham Jenkins

unread,
Oct 8, 2009, 6:08:24 PM10/8/09
to irod...@googlegroups.com
On Thu, 2009-10-08 at 08:54 -0700, schr...@diceresearch.org wrote:

>
> 'iadmin dspass' will descramble a password for the admin via a call to
> obfDecodeByKey

Good theory Wayne. But I can't make it work:
--
# Set the password for user graham.jenkins2:
iadmin moduser graham.jenkins2 password DoesNotWork

# Print the scrambled password:
echo "select user_id, user_name from r_user_main;" | psql -d ICAT | grep graham.jenkins2
3388569 | graham.jenkins2
echo "select user_id, rcat_password from r_user_password;" | psql -d ICAT | grep 3388569
3388569 | .E_Jn&(e)(ma,b

# Unscramble it:
iadmin dspass ".E_Jn&(e)(ma,b" 123
Unscrambled form is:"C_1%8ORgymOzq

--
Graham Jenkins
Australian Research Collaboration Service
Victorian Partnership for Advanced Computing
(+613) 9925-4862


schr...@diceresearch.org

unread,
Oct 8, 2009, 6:57:02 PM10/8/09
to irod...@googlegroups.com
Hi Graham,

You're right, it's a little more involved than I had described.

First, you have to drop the first 3 characters in the encoded string.
These are just there to differentiate the encoded form from the
non-encoded. That's the .E_ characters.

Second, if you haven't set an environment variable, the default key for
this isn't the irods key ('123'), but one that is set in the source
code:
icatHighLevelRoutines.c:#define PASSWORD_DEFAULT_KEY "a9_3fker"

So what might work is:
iadmin dspass "Jn&(e)(ma,b" a9_3fker

schroeder@zuri:~$ iadmin dspass "Jn&(e)(ma,b" a9_3fker
Unscrambled form is:DoesNotWork
schroeder@zuri:~$

- Wayne -


-------- Original Message --------
Reply all
Reply to author
Forward
0 new messages