[checkmk-commits] 4612 FIX Auth works now with $apr1$ prefixed passwords

Module: check_mk Branch: master Commit: a8cf8f6901d2f06bc6e3c3846ad1e18a5933711c URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=a8cf8f6901d2f0… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Mon May 8 11:21:06 2017 +0200 4612 FIX Auth works now with $apr1$ prefixed passwords The default encryption algorithm of htpasswd stores passwords in MD5 format. If you take a look at the file it prefixes the password with $apr1$. This format was not handled by the Check_MK GUI. If you set the prefix to $1$ it worked. The GUI has been changed to be able to work with both formats. Passwords set with this command should now work out of the box: htpasswd -m $OMD_ROOT/etc/htpasswd [username] Change-Id: I02985fbb2d0727fae80447f6590836d38a70a094 --- .werks/4612 | 19 +++++++++++++++++++ web/plugins/userdb/htpasswd.py | 10 +++++----- 2 files changed, 24 insertions(+), 5 deletions(-) diff --git a/.werks/4612 b/.werks/4612 new file mode 100644 index 0000000..de579c1 --- /dev/null +++ b/.werks/4612 @@ -0,0 +1,19 @@ +Title: Auth works now with $apr1$ prefixed passwords +Level: 1 +Component: multisite +Class: fix +Compatible: compat +Edition: cre +State: unknown +Version: 1.5.0i1 +Date: 1494235113 + +The default encryption algorithm of htpasswd stores passwords +in MD5 format. If you take a look at the file it prefixes the +password with $apr1$. This format was not handled by the Check_MK +GUI. If you set the prefix to $1$ it worked. + +The GUI has been changed to be able to work with both formats. +Passwords set with this command should now work out of the box: + +htpasswd -m $OMD_ROOT/etc/htpasswd [username] diff --git a/web/plugins/userdb/htpasswd.py b/web/plugins/userdb/htpasswd.py index 4265547..3c46989 100644 --- a/web/plugins/userdb/htpasswd.py +++ b/web/plugins/userdb/htpasswd.py @@ -27,11 +27,11 @@ import crypt import cmk.paths -def encrypt_password(password, salt = None): +def encrypt_password(password, salt=None, prefix="1"): import md5crypt if not salt: salt = "%06d" % (1000000 * (time.time() % 1.0)) - return md5crypt.md5crypt(password, salt, '$1$') + return md5crypt.md5crypt(password, salt, '$%s$' % prefix) class HtpasswdUserConnector(UserConnector): @@ -89,9 +89,9 @@ class HtpasswdUserConnector(UserConnector): # crypt() and md5 hashes. This should be the common cases in the # used htpasswd files. def password_valid(self, pwhash, password): - if pwhash[:3] == '$1$': - salt = pwhash.split('$', 3)[2] - return pwhash == encrypt_password(password, salt) + if pwhash.startswith('$1$') or pwhash.startswith('$apr1$'): + prefix, salt = pwhash.split('$', 3)[1:3] + return pwhash == encrypt_password(password, salt, prefix) else: return pwhash == crypt.crypt(password, pwhash[:2])