dhis2-users team mailing list archive

Thread
Date
Re: dhis 2.17 Password Algorithm

To: Jason Phillips <jason@xxxxxxxx>
From: Bob Jolliffe <bobjolliffe@xxxxxxxxx>
Date: Mon, 12 Jan 2015 14:59:04 +0000
Cc: DHIS 2 Users List <dhis2-users@xxxxxxxxxxxxxxxxxxx>, Henk Brink <henk@xxxxxxxx>
In-reply-to: <000301d02e74$a53cbe90$efb63bb0$@hisp.org>
Ah that is much more straightforward (I think).  If it is just a single
admin user, not many users, then the method of Jason Pickering would be
straightforward.  As would simply inserting a known hash code using sql.
Both are easily scriptable.  If you are doing as part of your backup and
restore processes then I'd just do the whole lot with sql.  Either as Jim
has just outlined or simply insert the admin user with password hash.

On 12 January 2015 at 14:32, Jason Phillips <jason@xxxxxxxx> wrote:

> Hi Bob/Jason P/Lars/all,
>
>
>
> Many thanks for your responses/input!
>
> Perhaps my specific reasons for my request would clear up the requirement:
>
>
>
> We normally have three "copies" of any one instance running at any given
> time: a LIVE system, a STAGING system, and a TRAINING system.  The STAGING
> system is used for testing changes to the LIVE without actually affecting
> the LIVE, for obvious reasons.
>
> We want to regularly update the STAGING database with a copy of the LIVE -
> but, in so doing, inject a superuser account that can be used for login by
> our support/technical/data staff; people that we would ideally like NOT to
> have access to the LIVE system.
>
> I would (ideally) like this to happen during our automated backup process,
> so something scripted would be great.  The injected username/password would
> remain reasonably stable, but for security reasons we would like to be able
> to change it from time to time.
>
> Any suggestion which presupposes an existing (presumably) super-user
> account poses a problem in that each database has different super-users,
> and the password for each is neither known to me nor stable or consistent.
>
> For example, I do not have login/access to most of the DHIS2 databases we
> host, but I am required occasionally to log in to assist with technical
> queries.  Using the method described above, I can be given super-user
> access to a copy of the system without having login creds for the real deal.
>
>
>
> I hope that clarifies?  Any suggestions would greatly appreciated.
>
>
>
> Kind regards,
>
> Jason.
>
>
>
> *From:* Dhis2-users [mailto:dhis2-users-bounces+jason=
> hisp.org@xxxxxxxxxxxxxxxxxxx] *On Behalf Of *Bob Jolliffe
> *Sent:* 12 January 2015 02:15 PM
> *To:* Halvdan Grelland
> *Cc:* DHIS 2 Users List; Henk Brink
> *Subject:* Re: [Dhis2-users] dhis 2.17 Password Algorithm
>
>
>
> Hi Jason
>
>
>
> Expanding yet further - and clearing up terminology - dhis2 does not
> encrypt the password and store it.  If it did, and you had the key, then
> you could decrypt it.  What dhis2 stores is a hash which is something
> calculated from the password.  These hash algorithms are designed to be as
> irreversable as possible ie. you can calculate the hash from the password
> (which is what happens when your password is checked when you login) but
> not the password from the hash.  So there is no encryption/decryption key
> involved.
>
>
>
> In general I think Lars's advice is what you should follow if you can.
> Creating a bunch of user/password combinations in advance gives you two
> headaches : (i) how do you generate the passwords?  (ii) how do you then
> securely distribute them?
>
>
>
> Maybe the one case where you might want to create a user with a
> pre-generated password is if you are trying to match credentials across
> systems.
>
>
>
> Bob
>
>
>
> On 12 January 2015 at 11:41, Halvdan Grelland <halvdanhg@xxxxxxxxx> wrote:
>
> To further expand on this: bcrypt is a fully portable format which should
> allow you to generate and authenticate valid credentials using any (sane)
> implementation. Good implementations are available for most programming
> languages.
>
>
>
> Also, I might be misunderstanding you, but in reference to item #3 on your
> list: if your design requires you to decrypt password hashes (which is, as
> Jason P. suggests virtually impossible) it should probably be reconsidered.
>
>
>
> If you for some reason need to work with pre 2.17 systems there is a
> standalone implementation of the DHIS2 password hashing algo available at
> https://github.com/dhis2/dhispassword
>
>
>
>
>
> 2015-01-12 9:18 GMT+01:00 Jason Pickering <jason.p.pickering@xxxxxxxxx>:
>
> Hi Jason,
>
>
>
> DHIS2 currently uses Bcrypt for encryption of the passwords.
>
>
>
> By far the easiest way achieve what you want is to create an XML (DXF2)
> payload of the user(s) you need to create and import that into DHIS2. The
> password in XML can be clear text,and will be encrypted by DHIS2 upon
> import.
>
>
>
> Yes, users can be assigned to orgunits in this process.
>
>
>
> Although it is possible to decrypt the password in the DHIS2 database, it
> could be a lengthy process requiring the password to be cracked. There is
> no known algorithm to  efficiently decrypt passwords which have been hashed
> with Bcrypt.
>
>
>
> Best regards,
>
> Jason Pickering
>
>
>
>
>
>
>
> On Mon, Jan 12, 2015 at 8:05 AM, Jason Phillips <jason@xxxxxxxx> wrote:
>
> Hi all,
>
>
>
> A happy New Year to everyone, and may 2015 be a happy, healthy and
> prosperous year for us all!
>
>
>
> I know related questions have been asked in the past, but I thought this
> one worth asking anyway:
>
>
>
> We need to be able to add a user/password to an instance "externally" to
> dhis 2.x - i.e. either through PostgreSQL or by injecting a line into an
> .sql dump or something similar.  The instance need not be running at the
> time.
>
> If I recall correctly, the algorithm used to encrypt the password in the
> Db changed at some point (I may be wrong), so for the purposes of this
> question assume that this applies only to versions 2.17 or higher.
>
> A couple of points come to mind:
>
>
>
> 1.       What would be the best way to achieve what we need, in Oslo's
> opinion?
>
> 2.       Can usernames be assigned to an OrgUnit at the same time?
>
> 3.       Can a password be decrypted from an .sql file using the same
> algorithm?
>
>
>
> Many thanks and kind regards,
>
>
>
> Jason.
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-users
> Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-users
> More help   : https://help.launchpad.net/ListHelp
>
>
>
>
>
> --
>
> Jason P. Pickering
> email: jason.p.pickering@xxxxxxxxx
> tel:+46764147049
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-users
> Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-users
> More help   : https://help.launchpad.net/ListHelp
>
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-users
> Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-users
> More help   : https://help.launchpad.net/ListHelp
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-users
> Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-users
> More help   : https://help.launchpad.net/ListHelp
>
>
Follow ups

Re: dhis 2.17 Password Algorithm
From: Jason Phillips, 2015-01-14
References

dhis 2.17 Password Algorithm
From: Jason Phillips, 2015-01-12
Re: dhis 2.17 Password Algorithm
From: Jason Pickering, 2015-01-12
Re: dhis 2.17 Password Algorithm
From: Halvdan Grelland, 2015-01-12
Re: dhis 2.17 Password Algorithm
From: Bob Jolliffe, 2015-01-12
Re: dhis 2.17 Password Algorithm
From: Jason Phillips, 2015-01-12