comparing md5 hashed passwords

hesco has asked for the wisdom of the Perl Monks concerning the following question:

I'm finally meeting with some limited success in my tests with CGI::Application. I'm using the Plugin::Authentication module to control access, reading a user-group-acl database created and maintained by code which wraps DBIx::UserDB.

It all works just fine when I'm using plain text passwords. But when I try to encrypt the passwords with md5, the whole thing breaks down pretty quick.

Relevant code from my CGI::App module:

use CGI::Application::Plugin::Authentication;
use CGI::Application::Plugin::Authentication::Driver::Filter::md5;

DistroPrsRls->authen->config(
  DRIVER => [ 'DBI',
    DBH         => $authdb,
    TABLE       => 'userdb',
    CONSTRAINTS => {
      'userdb.username' => '__CREDENTIAL_1__',
      'MD5:userdb.password' => '__CREDENTIAL_2__'
      # 'userdb.password' => '__CREDENTIAL_2__'
    },
  ],
  STORE => 'Session',
  POST_LOGIN_RUNMODE => 'login_welcome',
  POST_LOGIN_CALLBACK => \&update_login_date,
  CREDENTIALS => [ 'authen_username', 'authen_domain', 'authen_passwor
+d' ],
  LOGIN_SESSION_TIMEOUT => {
    IDLE_FOR => '5m',
    EVERY    => '1h'
  },
);
[download]

and my latest experiment with the code which creates the user who's password is tested:

use DBIx::UserDB;
use DBIx::SearchProfiles;
use Digest::MD5 qw(md5_hex);

sub CreateUser {
  my($userdb,$username,$password)=@_;
  print STDERR "Running Create User Subroutine.\n";
  # store md5 hash of password
  my $digest = md5_hex($password);
  # my $string = MD5->hexhash($password);

  my $user = { username => $username, password => $digest };
  $user = $userdb->user_create( $user );
  return;
}
[download]

I seem to have more options for how to encrypt it at the time of creation. I have found fewer models for how to encrypt the login password which gets checked against the database.

But as these two tools are not quite written to interface with one another, I'd appreciate some guiance on how to make them play nice.

Any ideas?

-- Hugh

Comment on comparing md5 hashed passwords Select or Download Code

Replies are listed 'Best First'.
Re: comparing md5 hashed passwords by cees (Curate) on Feb 16, 2006 at 15:27 UTC
You have your CREDENTIALS setup so that you require 3 pieces of information to authenticate (authen_username, authen_domain, authen_password). But then in the DBI Driver, you are using __CREDENTIAL_2__ as the password, even though it is number 3 in your list. If you remove the 'authen_domain' entry, it should start to work. Also, since DBIx::UserDB has it's own method for testing authentication, it might be easier to use that method through a callback, instead of the DBI driver. That way if DBIx::UserDB ever changes the DB structure, your code will still work. `use Digest::MD5 qw(md5_hex); DistroPrsRls->authen->config( DRIVER => [ 'Generic', sub { my $username = shift; # credential 1 my $password = shift; # credential 2 if ($userdb->user_login($username, md5_hex($password)) { return $username; } return; } ], STORE => 'Session', POST_LOGIN_RUNMODE => 'login_welcome', POST_LOGIN_CALLBACK => \&update_login_date, CREDENTIALS => [ 'authen_username', 'authen_password' ], LOGIN_SESSION_TIMEOUT => { IDLE_FOR => '5m', EVERY => '1h' }, );` [download]	[reply] [d/l]
Re: comparing md5 hashed passwords by hesco (Deacon) on Feb 16, 2006 at 20:03 UTC
This works like a charm, authenticating plain text tokens. But I haven't been able to figure out how to get it to work against digested passwords. I must be missing something here: mysql> select uid, username, password from userdb; +-----+------------+------------------------------------------------+ \| uid \| username \| password \| +-----+------------+------------------------------------------------+ \| 2 \| hesco \| password \| \| 35 \| md5 \| 05;X@9WL<JL&TU3!8@`L&[P`` \| \| 36 \| md5_hex \| @-35B93(P-C<W8C%C86%C,6(T9#4S,#4X.#`P8C`V968` \| \| 37 \| md5_base64 \| 65F(T9UHS<V-Q<T<P,51"66=!<T<W=P`` \| +-----+------------+------------------------------------------------+ 4 rows in set (0.00 sec) [download] I'm using some code that wraps around DBIx::UserDB to build and manipulate a database of authentication keys. I want to access those tables with the CGI::Application::Plugin::Authentication to guard the entrance to applications built behind that front door. The four users above all have the password "password", encoded, to the best of my knowledge using the method indicated by their username. I changed this line of code in the CreateUser subroutine to make the changes. `sub CreateUser { my($userdb,$username,$password)=@_; print STDERR "Running Create User Subroutine.\n"; # store md5 hash of password # my $digest = md5($password); # my $digest = md5_hex($password); # my $digest = md5_base64($password); # my $user = { username => $username, password => $digest }; my $user = { username => $username, password => $password }; $user = $userdb->user_create( $user ); return; }` [download] I changed this line of code in the DRIVER definition to test my ability to connect. `DRIVER => [ 'DBI', DBH => $authdb, TABLE => 'userdb', CONSTRAINTS => { 'userdb.username' => '__CREDENTIAL_1__', 'userdb.password' => '__CREDENTIAL_2__' # 'MD5:userdb.password' => '__CREDENTIAL_2__' # 'MD5_hex:userdb.password' => '__CREDENTIAL_2__' # 'MD5_base64:userdb.password' => '__CREDENTIAL_2__' }, ],` [download] Is there some other way I should be doing this? -- Hugh	[reply] [d/l] [select]


Your skill will accomplish what the force of many cannot
	PerlMonks