Integrations and salted passwords

jettyrat

Joined: 2005-12-30
Posts: 32

Posted: Wed, 2008-06-04 17:37

Wondering what is the best way to handle salted passwords from embedding apps. phpBB3 for instance uses a fairly involved password encryption scheme. The password that gets passed when the integration creates new users is essentially useless from Gallery's point of view. That makes stand-alone access to Gallery not possible for users created from the integration, which is ok as they don't need direct access anyway. But, a bigger problem is something like Gallery Remote does not work for them either because the password is not accepted.

Just wondering if there is a recommended way to handle this other than hacking GalleryUser.class. Seems as if there should be some way to hook an external password verification method for embedded apps...

Oldiesmann

Joined: 2005-05-18
Posts: 151

Posted: Sat, 2008-06-28 03:39

I ended up going with a custom login system that requires the user to enter their forum password before their account is created. I do this by tracking whether or not they're a gallery user in the forum (extra column in the members table). Here's how the current process works (this happens everytime a user accesses a page in the embedded gallery):

if (guest or registered)
    continue to gallery
elseif (username exists in gallery)
    request password for gallery account
else
    request forum password

If they enter the correct password, I either link the existing accounts or create a new one, depending on the situation.

This seems to work out quite well for my users, and covers all possible situations, so you might want to consider a similar setup.
---------------------
The Oldiesmann
SMF Project Manager
SMF+G2 Integration Project - RC1 Coming soon

jettyrat

Joined: 2005-12-30
Posts: 32

Posted: Mon, 2008-06-30 18:35

Thanks for the reply Oldiesmann. That's an interesting approach. I will give that some thought. I am told Gallery 2.4 may address this problem in some way also.

jettyrat

Joined: 2005-12-30
Posts: 32

Posted: Tue, 2008-07-01 01:59

I should also note that I have a fix for it by adding some code to GalleryUser.class that hooks the phpbb hashing function when someone tries to login to G2 using a phpbb password (it's easy to distiguish the difference between the hashed passwords). Was just wondering if there was some other way I was missing that didn't require mods to G2 code.

floridave

Joined: 2003-12-22
Posts: 27300

Posted: Tue, 2008-07-01 04:29

FYI: there has been some discution in gallery-devel about this:
http://sourceforge.net/mailarchive/message.php?msg_id=1207553698.m2f.46604%40www.wpg2next.com
and a few other threads.
there will be a workaround-method in G2.3 but the final method will be done in G2.4.

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team

ozgreg

Joined: 2003-10-18
Posts: 1378

Posted: Thu, 2008-07-24 04:38

Actually a small update, phppass support has already been added into Gallery2 2.3 (available now in SVN) (already added into WPG2 3.1 and tested)

Thanks again to the G2 Developers for adding this very late change..

____________________________________
Wordpress / Gallery2 (WPG2) Plugin, , WPG2 Documentation, WPG2 Demo

jettyrat

Joined: 2005-12-30
Posts: 32

Posted: Fri, 2008-07-25 14:05

A 2nd thanks to the G2 developers for adding this. Also tested and verified with the phpbb3 integration with one small glitch. phpbb3 uses $H$ as the hash identifier instead of $P$.

valiant

Joined: 2003-01-04
Posts: 32509

Posted: Sat, 2008-08-02 08:43

@jettyrat:
right, when handing of the hashedPassword to G2, please use string_replace to make the replacement of $H$ and $P$ (the first 3 characters of the string) to make sure that G2 understands the password hash string.

--------------
Documentation: Support / Troubleshooting | Installation, Upgrade, Configuration and Usage

jettyrat Joined: 2005-12-30 Posts: 32	Posted: Wed, 2008-06-04 17:37
	Wondering what is the best way to handle salted passwords from embedding apps. phpBB3 for instance uses a fairly involved password encryption scheme. The password that gets passed when the integration creates new users is essentially useless from Gallery's point of view. That makes stand-alone access to Gallery not possible for users created from the integration, which is ok as they don't need direct access anyway. But, a bigger problem is something like Gallery Remote does not work for them either because the password is not accepted. Just wondering if there is a recommended way to handle this other than hacking GalleryUser.class. Seems as if there should be some way to hook an external password verification method for embedded apps...
	XUser login Username: * Password: * Create new account Request new password
Oldiesmann Joined: 2005-05-18 Posts: 151	Posted: Sat, 2008-06-28 03:39
	I ended up going with a custom login system that requires the user to enter their forum password before their account is created. I do this by tracking whether or not they're a gallery user in the forum (extra column in the members table). Here's how the current process works (this happens everytime a user accesses a page in the embedded gallery): if (guest or registered) continue to gallery elseif (username exists in gallery) request password for gallery account else request forum password If they enter the correct password, I either link the existing accounts or create a new one, depending on the situation. This seems to work out quite well for my users, and covers all possible situations, so you might want to consider a similar setup. --------------------- The Oldiesmann SMF Project Manager SMF+G2 Integration Project - RC1 Coming soon

jettyrat Joined: 2005-12-30 Posts: 32	Posted: Mon, 2008-06-30 18:35
	Thanks for the reply Oldiesmann. That's an interesting approach. I will give that some thought. I am told Gallery 2.4 may address this problem in some way also.

jettyrat Joined: 2005-12-30 Posts: 32	Posted: Tue, 2008-07-01 01:59
	I should also note that I have a fix for it by adding some code to GalleryUser.class that hooks the phpbb hashing function when someone tries to login to G2 using a phpbb password (it's easy to distiguish the difference between the hashed passwords). Was just wondering if there was some other way I was missing that didn't require mods to G2 code.

floridave Joined: 2003-12-22 Posts: 27300	Posted: Tue, 2008-07-01 04:29
	FYI: there has been some discution in gallery-devel about this: http://sourceforge.net/mailarchive/message.php?msg_id=1207553698.m2f.46604%40www.wpg2next.com and a few other threads. there will be a workaround-method in G2.3 but the final method will be done in G2.4. Dave _____________________________________________ Blog & G2 \|\| floridave - Gallery Team

ozgreg Joined: 2003-10-18 Posts: 1378	Posted: Thu, 2008-07-24 04:38
	Actually a small update, phppass support has already been added into Gallery2 2.3 (available now in SVN) (already added into WPG2 3.1 and tested) Thanks again to the G2 Developers for adding this very late change.. ____________________________________ Wordpress / Gallery2 (WPG2) Plugin, , WPG2 Documentation, WPG2 Demo

jettyrat Joined: 2005-12-30 Posts: 32	Posted: Fri, 2008-07-25 14:05
	A 2nd thanks to the G2 developers for adding this. Also tested and verified with the phpbb3 integration with one small glitch. phpbb3 uses $H$ as the hash identifier instead of $P$.

valiant Joined: 2003-01-04 Posts: 32509	Posted: Sat, 2008-08-02 08:43
	@jettyrat: right, when handing of the hashedPassword to G2, please use string_replace to make the replacement of $H$ and $P$ (the first 3 characters of the string) to make sure that G2 understands the password hash string. -------------- Documentation: Support / Troubleshooting \| Installation, Upgrade, Configuration and Usage

Integrations and salted passwords

XUser login