Use phpbb database as a source for HTTP Basic Authorization

Get help with installation and running phpBB 3.2.x here. Please do not post bug reports, feature requests, or extension related questions here.
Post Reply
User avatar
reardenlife
Registered User
Posts: 38
Joined: Tue Mar 26, 2019 4:50 am

Use phpbb database as a source for HTTP Basic Authorization

Post by reardenlife » Wed Sep 25, 2019 10:33 pm

I have a database with bcrypt_2y password hashes and I want to change the settings so that next time any user will login, their password hash will be changed to a different type - say plain md5. Exactly how should I do that?

The reason I am asking is that I would like to use existing DB for http basic authorization. The default phpbb settings create a huge problem for me - bcrypt salt seems to be random and it is stored inside the password field; so I have to read the password field to get a salt first, then generate bcrypt_2y hash and only then run mysql query for basic auth. If the hashes will be md5 hashes, I will be able to do my check with only one mysql query, since mysql supports md5 natively.

Edit: Actually, the basic auth module seems to be supporting bcrypt: https://github.com/wosc/nginx-db-auth/b ... README.rst
[default]
dsn = postgresql://localhost/myusers
query = SELECT password FROM users WHERE username = :username AND password = :password AND role = :x_required_role
password_hash = bcrypt
I am not sure how it would deal with salted bcrypt though. I need to know more information where phpbb generated a salt for bcrypt then..

Edit2: looking at the sources of bcrypt.php.. yeah, it uses random salt. Well, yeah. For my purposes it would be much appropriate to use the hash function without any salt.

Edit3:
At the same time I am reading other posts of the people who having problems with hashes. The "cron job" that rehashes the passwords ..?

viewtopic.php?t=2508846#p15236651
That the intended behaviour of phpBB: whenever a user logs in to phpBB who has a deprecated hash value in the users database (like the ones starting with $H$9), the hash is converted, not reverted, to the current hashing algorithm.
Wow. But in my case, how to do the exact opposite - to downgrade to md5 unsalted hashes? Or, md5 salt that could be generated from username, say.

I looked into https://github.com/phpbb/phpbb/blob/3.2 ... hashes.php .. and I do not understand how it works. It should be able to update the hashes only once the user entered the password. One cannot convert between different hash types.

Code: Select all

$new_hash = $this->passwords_manager->hash($row['user_password'], array($this->default_type));
What the hell is that suppose to mean? $row['user_password'] is not a plain text password, but a hash.

Edit4: So apparently I have to take say, phpbb/passwords/driver/sha1.php, change it to non-legacy and implement hashing. Then change the hashing algo in config/default/container/parameters.yml to sha1. Will it be enough to update the user's hashes once they are logged in?

Edit5 (SOLUTION?):

So I made a module on the basis of sha1_smf. It just uses sha1 without any salt. * (Hm. There was also prefix defined but it doesn't seem to be used anywhere).
So I put my module as the first one in the config/default/container/parameters.yml and changed the file config/default/container/services_password.yml to write meta info about my module. Then I cleaned the cache and tried to login. It updated the field user_password successfully. I used default linux tool sha1sum to check if hash of password equals what I was using as a password. It does.

Everything seems to be working as expected.

Is there anything I might have missed?

Edit 6: Yes, I did. So detect_algorithm in manager.php fails to detect the algo needed to check the password hash and I am unable to login right now..

Edit 7: So yeah. I appended the prefix in the method hash in my module. I also respectively changed method check because it checks the length of the hashed password. So now password manager recognizes the hash algo and I am able to login.

So now I am able to use db of phpbb as a source for basic authorization. Nice..

SOLUTION:
It appears to me that I misunderstood the concept how webserver's basic auth module suppose to work.
I thought that I should be able to generate a password hash myself and select by that field. At least this is how in nginx documentation it was described.

But actually Apache supports bcrypt_2y:

https://httpd.apache.org/docs/2.4/misc/ ... tions.html
bcrypt
"$2y$" + the result of the crypt_blowfish algorithm. See the APR source file crypt_blowfish.c for the details of the algorithm.
So I just selected the salted bcrypt_2y password by username and apache basic auth module validated everything for me. So I didn't have to modify anything in the phpbb forum in the first place. Perfect.

Code: Select all

Require valid-user
AuthDBDUserPWQuery "SELECT user_password FROM phpbb_users WHERE username = %s LIMIT 1"

Post Reply

Return to “[3.2.x] Support Forum”