dhis2-users team mailing list archive

Thread
Date
Re: dhis 2.17 Password Algorithm

To: Jason Phillips <jason@xxxxxxxx>
From: Jim Grace <jimgrace@xxxxxxxxx>
Date: Mon, 12 Jan 2015 09:39:25 -0500
Cc: DHIS 2 Users List <dhis2-users@xxxxxxxxxxxxxxxxxxx>, Henk Brink <henk@xxxxxxxx>
In-reply-to: <000301d02e74$a53cbe90$efb63bb0$@hisp.org>
Here's another approach:

Create the superuser account in the production system by hand. Copy out the
hashed password from a SQL query:

    select password from users where username='...';

Set the password to null in the production system to effectively disable
the account. Then as a part of your batch procedure, enable the password in
the STAGING system with an update command like:

    update users set password = '...' where username='...’;

Cheers,
Jim


On Mon, Jan 12, 2015 at 9:32 AM, Jason Phillips <jason@xxxxxxxx> wrote:

> Hi Bob/Jason P/Lars/all,
>
>
>
> Many thanks for your responses/input!
>
> Perhaps my specific reasons for my request would clear up the requirement:
>
>
>
> We normally have three “copies” of any one instance running at any given
> time: a LIVE system, a STAGING system, and a TRAINING system.  The STAGING
> system is used for testing changes to the LIVE without actually affecting
> the LIVE, for obvious reasons.
>
> We want to regularly update the STAGING database with a copy of the LIVE –
> but, in so doing, inject a superuser account that can be used for login by
> our support/technical/data staff; people that we would ideally like NOT to
> have access to the LIVE system.
>
> I would (ideally) like this to happen during our automated backup process,
> so something scripted would be great.  The injected username/password would
> remain reasonably stable, but for security reasons we would like to be able
> to change it from time to time.
>
> Any suggestion which presupposes an existing (presumably) super-user
> account poses a problem in that each database has different super-users,
> and the password for each is neither known to me nor stable or consistent.
>
> For example, I do not have login/access to most of the DHIS2 databases we
> host, but I am required occasionally to log in to assist with technical
> queries.  Using the method described above, I can be given super-user
> access to a copy of the system without having login creds for the real deal.
>
>
>
> I hope that clarifies?  Any suggestions would greatly appreciated.
>
>
>
> Kind regards,
>
> Jason.
>
>
>
> *From:* Dhis2-users [mailto:dhis2-users-bounces+jason=
> hisp.org@xxxxxxxxxxxxxxxxxxx] *On Behalf Of *Bob Jolliffe
> *Sent:* 12 January 2015 02:15 PM
> *To:* Halvdan Grelland
> *Cc:* DHIS 2 Users List; Henk Brink
> *Subject:* Re: [Dhis2-users] dhis 2.17 Password Algorithm
>
>
>
> Hi Jason
>
>
>
> Expanding yet further - and clearing up terminology - dhis2 does not
> encrypt the password and store it.  If it did, and you had the key, then
> you could decrypt it.  What dhis2 stores is a hash which is something
> calculated from the password.  These hash algorithms are designed to be as
> irreversable as possible ie. you can calculate the hash from the password
> (which is what happens when your password is checked when you login) but
> not the password from the hash.  So there is no encryption/decryption key
> involved.
>
>
>
> In general I think Lars's advice is what you should follow if you can.
> Creating a bunch of user/password combinations in advance gives you two
> headaches : (i) how do you generate the passwords?  (ii) how do you then
> securely distribute them?
>
>
>
> Maybe the one case where you might want to create a user with a
> pre-generated password is if you are trying to match credentials across
> systems.
>
>
>
> Bob
>
>
>
> On 12 January 2015 at 11:41, Halvdan Grelland <halvdanhg@xxxxxxxxx> wrote:
>
> To further expand on this: bcrypt is a fully portable format which should
> allow you to generate and authenticate valid credentials using any (sane)
> implementation. Good implementations are available for most programming
> languages.
>
>
>
> Also, I might be misunderstanding you, but in reference to item #3 on your
> list: if your design requires you to decrypt password hashes (which is, as
> Jason P. suggests virtually impossible) it should probably be reconsidered.
>
>
>
> If you for some reason need to work with pre 2.17 systems there is a
> standalone implementation of the DHIS2 password hashing algo available at
> https://github.com/dhis2/dhispassword
>
>
>
>
>
> 2015-01-12 9:18 GMT+01:00 Jason Pickering <jason.p.pickering@xxxxxxxxx>:
>
> Hi Jason,
>
>
>
> DHIS2 currently uses Bcrypt for encryption of the passwords.
>
>
>
> By far the easiest way achieve what you want is to create an XML (DXF2)
> payload of the user(s) you need to create and import that into DHIS2. The
> password in XML can be clear text,and will be encrypted by DHIS2 upon
> import.
>
>
>
> Yes, users can be assigned to orgunits in this process.
>
>
>
> Although it is possible to decrypt the password in the DHIS2 database, it
> could be a lengthy process requiring the password to be cracked. There is
> no known algorithm to  efficiently decrypt passwords which have been hashed
> with Bcrypt.
>
>
>
> Best regards,
>
> Jason Pickering
>
>
>
>
>
>
>
> On Mon, Jan 12, 2015 at 8:05 AM, Jason Phillips <jason@xxxxxxxx> wrote:
>
> Hi all,
>
>
>
> A happy New Year to everyone, and may 2015 be a happy, healthy and
> prosperous year for us all!
>
>
>
> I know related questions have been asked in the past, but I thought this
> one worth asking anyway:
>
>
>
> We need to be able to add a user/password to an instance “externally” to
> dhis 2.x – i.e. either through PostgreSQL or by injecting a line into an
> .sql dump or something similar.  The instance need not be running at the
> time.
>
> If I recall correctly, the algorithm used to encrypt the password in the
> Db changed at some point (I may be wrong), so for the purposes of this
> question assume that this applies only to versions 2.17 or higher.
>
> A couple of points come to mind:
>
>
>
> 1.       What would be the best way to achieve what we need, in Oslo’s
> opinion?
>
> 2.       Can usernames be assigned to an OrgUnit at the same time?
>
> 3.       Can a password be decrypted from an .sql file using the same
> algorithm?
>
>
>
> Many thanks and kind regards,
>
>
>
> Jason.
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-users
> Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-users
> More help   : https://help.launchpad.net/ListHelp
>
>
>
>
>
> --
>
> Jason P. Pickering
> email: jason.p.pickering@xxxxxxxxx
> tel:+46764147049
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-users
> Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-users
> More help   : https://help.launchpad.net/ListHelp
>
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-users
> Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-users
> More help   : https://help.launchpad.net/ListHelp
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-users
> Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-users
> More help   : https://help.launchpad.net/ListHelp
>
>
References

dhis 2.17 Password Algorithm
From: Jason Phillips, 2015-01-12
Re: dhis 2.17 Password Algorithm
From: Jason Pickering, 2015-01-12
Re: dhis 2.17 Password Algorithm
From: Halvdan Grelland, 2015-01-12
Re: dhis 2.17 Password Algorithm
From: Bob Jolliffe, 2015-01-12
Re: dhis 2.17 Password Algorithm
From: Jason Phillips, 2015-01-12