mahara-contributors team mailing list archive

Thread
Date

[Bug 676461] Re: Admin user unable to login after installation - salt issue

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Andrew Nicols <676461@xxxxxxxxxxxxxxxxxx>
Date: Thu, 18 Nov 2010 09:02:58 -0000
Reply-to: Bug 676461 <676461@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Hi Richard,

Cheers - that sheds a bit of light on things! I've pushed my fix to
master.

Andrew

--
Admin user unable to login after installation - salt issue
https://bugs.launchpad.net/bugs/676461
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.

Status in Mahara ePortfolio: Fix Committed

Bug description:
During installation, the final step is typically to set the admin password. At present on master this isn't happening and the admin user is unable to login.
Looks like this is caused by a change in e9151dd85cabeb527b7a3dc6d03699e9bb949634 to auth/internal/lib.php to the salt system.

When the admin user is created, it's not created using an Auth object, but by inserting directly into the database. The password is set in plaintext and without salt. The installation then seesm to log in the admin user with that plaintext password.
The salt change in the above commit removes the ability for users to log in using a plaintext password if there's no salt.

I can see two ways forward:
* revert the salt change; or
* salt the admin password.

I've provided a fix for the latter in the attached file on the assumption that the salt was changed for a reason that I'm not privy to, but I haven't applied it to master in case the preferred option is to revert the salt change.

Rather than using auth/lib.php:encrypt_password() (which just returns sha1($salt . $password)), I've just done the sha1. This is to avoid having to include auth/lib.php just for one function. Obviously, this would break if salting methodology changed in the future.