← Back to team overview

dhis2-users team mailing list archive

Re: dhis 2.17 Password Algorithm

 

Hi Bob/Jason P/Lars/all,

 

Many thanks for your responses/input!

Perhaps my specific reasons for my request would clear up the requirement:

 

We normally have three "copies" of any one instance running at any given
time: a LIVE system, a STAGING system, and a TRAINING system.  The STAGING
system is used for testing changes to the LIVE without actually affecting
the LIVE, for obvious reasons.

We want to regularly update the STAGING database with a copy of the LIVE -
but, in so doing, inject a superuser account that can be used for login by
our support/technical/data staff; people that we would ideally like NOT to
have access to the LIVE system.

I would (ideally) like this to happen during our automated backup process,
so something scripted would be great.  The injected username/password would
remain reasonably stable, but for security reasons we would like to be able
to change it from time to time.

Any suggestion which presupposes an existing (presumably) super-user account
poses a problem in that each database has different super-users, and the
password for each is neither known to me nor stable or consistent.

For example, I do not have login/access to most of the DHIS2 databases we
host, but I am required occasionally to log in to assist with technical
queries.  Using the method described above, I can be given super-user access
to a copy of the system without having login creds for the real deal.

 

I hope that clarifies?  Any suggestions would greatly appreciated.

 

Kind regards,

Jason.

 

From: Dhis2-users
[mailto:dhis2-users-bounces+jason=hisp.org@xxxxxxxxxxxxxxxxxxx] On Behalf Of
Bob Jolliffe
Sent: 12 January 2015 02:15 PM
To: Halvdan Grelland
Cc: DHIS 2 Users List; Henk Brink
Subject: Re: [Dhis2-users] dhis 2.17 Password Algorithm

 

Hi Jason

 

Expanding yet further - and clearing up terminology - dhis2 does not encrypt
the password and store it.  If it did, and you had the key, then you could
decrypt it.  What dhis2 stores is a hash which is something calculated from
the password.  These hash algorithms are designed to be as irreversable as
possible ie. you can calculate the hash from the password (which is what
happens when your password is checked when you login) but not the password
from the hash.  So there is no encryption/decryption key involved.

 

In general I think Lars's advice is what you should follow if you can.
Creating a bunch of user/password combinations in advance gives you two
headaches : (i) how do you generate the passwords?  (ii) how do you then
securely distribute them?

 

Maybe the one case where you might want to create a user with a
pre-generated password is if you are trying to match credentials across
systems.

 

Bob

 

On 12 January 2015 at 11:41, Halvdan Grelland <halvdanhg@xxxxxxxxx> wrote:

To further expand on this: bcrypt is a fully portable format which should
allow you to generate and authenticate valid credentials using any (sane)
implementation. Good implementations are available for most programming
languages.

 

Also, I might be misunderstanding you, but in reference to item #3 on your
list: if your design requires you to decrypt password hashes (which is, as
Jason P. suggests virtually impossible) it should probably be reconsidered.

 

If you for some reason need to work with pre 2.17 systems there is a
standalone implementation of the DHIS2 password hashing algo available at
https://github.com/dhis2/dhispassword

 

 

2015-01-12 9:18 GMT+01:00 Jason Pickering <jason.p.pickering@xxxxxxxxx>:

Hi Jason,

 

DHIS2 currently uses Bcrypt for encryption of the passwords. 

 

By far the easiest way achieve what you want is to create an XML (DXF2)
payload of the user(s) you need to create and import that into DHIS2. The
password in XML can be clear text,and will be encrypted by DHIS2 upon
import. 

 

Yes, users can be assigned to orgunits in this process. 

 

Although it is possible to decrypt the password in the DHIS2 database, it
could be a lengthy process requiring the password to be cracked. There is no
known algorithm to  efficiently decrypt passwords which have been hashed
with Bcrypt. 

 

Best regards,

Jason Pickering

 

 

 

On Mon, Jan 12, 2015 at 8:05 AM, Jason Phillips <jason@xxxxxxxx> wrote:

Hi all,

 

A happy New Year to everyone, and may 2015 be a happy, healthy and
prosperous year for us all!

 

I know related questions have been asked in the past, but I thought this one
worth asking anyway:

 

We need to be able to add a user/password to an instance "externally" to
dhis 2.x - i.e. either through PostgreSQL or by injecting a line into an
.sql dump or something similar.  The instance need not be running at the
time.

If I recall correctly, the algorithm used to encrypt the password in the Db
changed at some point (I may be wrong), so for the purposes of this question
assume that this applies only to versions 2.17 or higher.

A couple of points come to mind:

 

1.       What would be the best way to achieve what we need, in Oslo's
opinion?

2.       Can usernames be assigned to an OrgUnit at the same time?

3.       Can a password be decrypted from an .sql file using the same
algorithm?

 

Many thanks and kind regards,

 

Jason.

 

_______________________________________________
Mailing list: https://launchpad.net/~dhis2-users
Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~dhis2-users
More help   : https://help.launchpad.net/ListHelp





 

-- 

Jason P. Pickering
email: jason.p.pickering@xxxxxxxxx
tel:+46764147049 <tel:%2B46764147049> 


_______________________________________________
Mailing list: https://launchpad.net/~dhis2-users
Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~dhis2-users
More help   : https://help.launchpad.net/ListHelp

 


_______________________________________________
Mailing list: https://launchpad.net/~dhis2-users
Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~dhis2-users
More help   : https://help.launchpad.net/ListHelp

 


Follow ups

References