Cannot verify bcrypt or md5 hashes

Question

Cannot verify bcrypt or md5 hashes

Closed this issue 11 years ago · 10 comments

I am trying to use your wonderful totpcgi project and I hit a snag. I have this working on one setup against an LDAP backend perfectly. I have another place where I'd like to just use a table in the postgres database that has the pincodes there, however I get an error on login saying "Unsupported hashcode format". Can you point me to where I might be wrong? I know this is pretty generic stuff here but I'm not sure what info you might find useful.

I entered the pincode as I would expect my user to type it in. I set the hash type to md5. I'm wondering if I have to actually create a hash of the password and put that in the table?

I did try creating an MD5 hash of the password also and using that in the table didn't seem to make a difference.

Answer 1 · 2013-11-19T19:41:38.000Z

The entries in the database should match one of the supported password hashes, not plaintext. If you want to generate a compatible md5 password hash, run the following: "openssl passwd -1" and type in the password to hash.

Answer 2 · 2013-11-19T19:42:52.000Z

FYI, you can also use "totpprov set-user-pincode username", if you set up your provisioning.conf.

Answer 3 · 2013-11-19T19:52:28.000Z

Thanks for that pointer. I removed the manual entries I made and tried again with the command you provided. I changed the hash to bcrypt and md5 but I still get the same exact error message (even when trying to provision the user with totpprov) Unsupported hashcode format.

Answer 4 · 2013-11-19T19:55:51.000Z

BTW it does make the entries in the database, it's failing on the verify step.

Answer 5 · 2013-11-19T19:56:23.000Z

I did verify I have bcrypt installed, and when I go into python at the command prompt and run import bcrypt it returns as I would expect for a module that is installed.

Answer 6 · 2013-11-19T20:15:20.000Z

I started trying other hash algorithms and I got to sha256 which seems to be working. Not sure why md5 and bcrypt didn't work but at this point I don't care either.

Thanks for the tip on the provisioning command that will save me headaches :)

Answer 7 · 2013-11-19T20:16:48.000Z

I think you found an actual bug, so I'll keep this open. Looks like we don't do the right thing verifying md5 or bcrypt hashes.

Answer 8 · 2013-11-19T20:19:11.000Z

FYI, I recommend you use sha512 instead of sha256.

Answer 9 · 2013-11-19T20:22:46.000Z

Will do, thanks!

Answer 10 · 2013-11-20T17:18:46.000Z

Should be fixed and will be out with 0.5.6