user password different type encoding
Hello dev-team, I would like to add the different type of password encryption to the users in my galaxy instance. I started working with the current password encoding script: /home/apps/galaxy-dist/lib/galaxy/util/hash_util.py I will keep the current sha1 and add another layer of encryption to the sha1 hash, otherwise I need to force all my users to change the password and follow the new hashing method. Can anyone please point me any other place/script which I missed regarding the encryption/decryption of user authentication. thanks in advance, --/Vipin
That should be the only place, it is called from the some methods of the User model object. So you could modify it to always hash new passwords in a different way, but check old passwords with sha1 first, then something else. Although it might be nice to move the functionality into security.validate_user_input since it is really specific to user passwords, especially with those changes. I'd be happy to see this go into main with sha256 or something similar. Also, we could consider adding a random per-user salt field if you are really concerned about this. -- James Taylor, Assistant Professor, Biology/CS, Emory University On Thu, May 2, 2013 at 10:21 AM, Vipin TS <vipin.ts@gmail.com> wrote:
Hello dev-team, I would like to add the different type of password encryption to the users in my galaxy instance. I started working with the current password encoding script: /home/apps/galaxy-dist/lib/galaxy/util/hash_util.py
I will keep the current sha1 and add another layer of encryption to the sha1 hash, otherwise I need to force all my users to change the password and follow the new hashing method.
Can anyone please point me any other place/script which I missed regarding the encryption/decryption of user authentication.
thanks in advance, --/Vipin
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
Thanks James, I have updated the password of one user in galaxy_user table with the new algorithm, I also adjusted the function "new_secure_hash" in /lib/galaxy/util/hash_util.py in such a way that it returns the new hash instead of sha1. Now I tried to login, it fails to get the account, I think there is something going wrong in the password hash comparison. Can you please assit here. +++ b/lib/galaxy/util/hash_util.py Thu May 02 14:33:07 2013 -0400 @@ -25,13 +25,60 @@ Returns either a sha1 hash object (if called with no arguments), or a hexdigest of the sha1 hash of the argument `text_type`. """ + import hashlib + from os import urandom + from base64 import b64encode, b64decode + from itertools import izip + from pbkdf2 import pbkdf2_bin + + SALT_LENGTH = 12 + KEY_LENGTH = 24 + HASH_FUNCTION = 'sha256' + COST_FACTOR = 10000 + if text_type: + #return sha1( text_type ).hexdigest() + + sec_hash_1 = sha1( text_type ).hexdigest() + + if isinstance(sec_hash_1, unicode): + sec_hash_1 = sec_hash_1.encode('utf-8') + salt = b64encode(urandom(SALT_LENGTH)) + + return 'PBKDF2${0}${1}${2}${3}'.format( + HASH_FUNCTION, + COST_FACTOR, + salt, + b64encode(pbkdf2_bin(sec_hash_1, salt, COST_FACTOR, KEY_LENGTH, getattr(hashlib, HASH_FUNCTION)))) thanks, Vipin That should be the only place, it is called from the some methods of
the User model object. So you could modify it to always hash new passwords in a different way, but check old passwords with sha1 first, then something else.
Although it might be nice to move the functionality into security.validate_user_input since it is really specific to user passwords, especially with those changes.
I'd be happy to see this go into main with sha256 or something similar. Also, we could consider adding a random per-user salt field if you are really concerned about this.
-- James Taylor, Assistant Professor, Biology/CS, Emory University
On Thu, May 2, 2013 at 10:21 AM, Vipin TS <vipin.ts@gmail.com> wrote:
Hello dev-team, I would like to add the different type of password encryption to the users in my galaxy instance. I started working with the current password encoding script: /home/apps/galaxy-dist/lib/galaxy/util/hash_util.py
I will keep the current sha1 and add another layer of encryption to the sha1 hash, otherwise I need to force all my users to change the password and follow the new hashing method.
Can anyone please point me any other place/script which I missed regarding the encryption/decryption of user authentication.
thanks in advance, --/Vipin
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
I have started testing with creating a new user and the password hash created using new algorithm, galaxy=# select username,email,password from galaxy_user where email = ' fmlmpg@gmail.com'; username | email | password ----------+------------------+------------------------------------------ | fmlmpg@gmail.com | PBKDF2$sha256$10000$e0DVCuGEua3ebxxU$Bh6 I have updated the length of password column to 80 characters in my table and still the stored password seems to be in 40 char long, I print the hash after creating the second hash (password -> sha1 hash 40 char long-> pbdkf2 hash 69 char long) before storing into the database table, I believing the hash has been truncated, any idea what is happening here. I am not seeing any clue in the code. thanks, Vipin
Thanks James, I have updated the password of one user in galaxy_user table with the new algorithm, I also adjusted the function "new_secure_hash" in /lib/galaxy/util/hash_util.py in such a way that it returns the new hash instead of sha1. Now I tried to login, it fails to get the account, I think there is something going wrong in the password hash comparison. Can you please assit here.
+++ b/lib/galaxy/util/hash_util.py Thu May 02 14:33:07 2013 -0400 @@ -25,13 +25,60 @@ Returns either a sha1 hash object (if called with no arguments), or a hexdigest of the sha1 hash of the argument `text_type`. """ + import hashlib + from os import urandom + from base64 import b64encode, b64decode + from itertools import izip + from pbkdf2 import pbkdf2_bin + + SALT_LENGTH = 12 + KEY_LENGTH = 24 + HASH_FUNCTION = 'sha256' + COST_FACTOR = 10000 + if text_type: + #return sha1( text_type ).hexdigest() + + sec_hash_1 = sha1( text_type ).hexdigest() + + if isinstance(sec_hash_1, unicode): + sec_hash_1 = sec_hash_1.encode('utf-8') + salt = b64encode(urandom(SALT_LENGTH)) + + return 'PBKDF2${0}${1}${2}${3}'.format( + HASH_FUNCTION, + COST_FACTOR, + salt, + b64encode(pbkdf2_bin(sec_hash_1, salt, COST_FACTOR, KEY_LENGTH, getattr(hashlib, HASH_FUNCTION))))
thanks, Vipin
That should be the only place, it is called from the some methods of
the User model object. So you could modify it to always hash new passwords in a different way, but check old passwords with sha1 first, then something else.
Although it might be nice to move the functionality into security.validate_user_input since it is really specific to user passwords, especially with those changes.
I'd be happy to see this go into main with sha256 or something similar. Also, we could consider adding a random per-user salt field if you are really concerned about this.
-- James Taylor, Assistant Professor, Biology/CS, Emory University
On Thu, May 2, 2013 at 10:21 AM, Vipin TS <vipin.ts@gmail.com> wrote:
Hello dev-team, I would like to add the different type of password encryption to the users in my galaxy instance. I started working with the current password encoding script: /home/apps/galaxy-dist/lib/galaxy/util/hash_util.py
I will keep the current sha1 and add another layer of encryption to the sha1 hash, otherwise I need to force all my users to change the password and follow the new hashing method.
Can anyone please point me any other place/script which I missed regarding the encryption/decryption of user authentication.
thanks in advance, --/Vipin
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
I have updated the table schema from the script to adjust the column length from the following script: lib/galaxy/model/mapping.py Now my new registration passwords are encrypted with second layer of authentication using PBKDF2 new entry from the database table: galaxy=# select username,email,password from galaxy_user where email = ' vipin@mail.com'; username | email | password ----------+----------------+----------------------------------------------------------------------- | vipin@mail.com | PBKDF2$sha256$10000$lv0RfxbU3SymKvEA$l4RH9f9xHrH4pcf9n6ELP1MWjG+hooEW BUT now I am experiencing the problem with authenticating the newly registered user name. once I log out, I can’t log back in again – password invalid. This tells me there is something going on with the password hash/compare function. Can you please guide through the right module to look for this, Will be quite helpful, --/Vipin I have started testing with creating a new user and the password hash
created using new algorithm,
galaxy=# select username,email,password from galaxy_user where email = ' fmlmpg@gmail.com'; username | email | password ----------+------------------+------------------------------------------ | fmlmpg@gmail.com | PBKDF2$sha256$10000$e0DVCuGEua3ebxxU$Bh6
I have updated the length of password column to 80 characters in my table and still the stored password seems to be in 40 char long, I print the hash after creating the second hash (password -> sha1 hash 40 char long-> pbdkf2 hash 69 char long)
before storing into the database table, I believing the hash has been truncated, any idea what is happening here. I am not seeing any clue in the code.
thanks, Vipin
Thanks James, I have updated the password of one user in galaxy_user table with the new algorithm, I also adjusted the function "new_secure_hash" in /lib/galaxy/util/hash_util.py in such a way that it returns the new hash instead of sha1. Now I tried to login, it fails to get the account, I think there is something going wrong in the password hash comparison. Can you please assit here.
+++ b/lib/galaxy/util/hash_util.py Thu May 02 14:33:07 2013 -0400 @@ -25,13 +25,60 @@ Returns either a sha1 hash object (if called with no arguments), or a hexdigest of the sha1 hash of the argument `text_type`. """ + import hashlib + from os import urandom + from base64 import b64encode, b64decode + from itertools import izip + from pbkdf2 import pbkdf2_bin + + SALT_LENGTH = 12 + KEY_LENGTH = 24 + HASH_FUNCTION = 'sha256' + COST_FACTOR = 10000 + if text_type: + #return sha1( text_type ).hexdigest() + + sec_hash_1 = sha1( text_type ).hexdigest() + + if isinstance(sec_hash_1, unicode): + sec_hash_1 = sec_hash_1.encode('utf-8') + salt = b64encode(urandom(SALT_LENGTH)) + + return 'PBKDF2${0}${1}${2}${3}'.format( + HASH_FUNCTION, + COST_FACTOR, + salt, + b64encode(pbkdf2_bin(sec_hash_1, salt, COST_FACTOR, KEY_LENGTH, getattr(hashlib, HASH_FUNCTION))))
thanks, Vipin
That should be the only place, it is called from the some methods of
the User model object. So you could modify it to always hash new passwords in a different way, but check old passwords with sha1 first, then something else.
Although it might be nice to move the functionality into security.validate_user_input since it is really specific to user passwords, especially with those changes.
I'd be happy to see this go into main with sha256 or something similar. Also, we could consider adding a random per-user salt field if you are really concerned about this.
-- James Taylor, Assistant Professor, Biology/CS, Emory University
Hello dev-team, I would like to add the different type of password encryption to the users in my galaxy instance. I started working with the current password encoding script: /home/apps/galaxy-dist/lib/galaxy/util/hash_util.py
I will keep the current sha1 and add another layer of encryption to
On Thu, May 2, 2013 at 10:21 AM, Vipin TS <vipin.ts@gmail.com> wrote: the sha1
hash, otherwise I need to force all my users to change the password and follow the new hashing method.
Can anyone please point me any other place/script which I missed regarding the encryption/decryption of user authentication.
thanks in advance, --/Vipin
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
The only other relevant place is the User object in model/__init__.py -- James Taylor, Assistant Professor, Biology/CS, Emory University On Thu, May 2, 2013 at 6:46 PM, Vipin TS <vipin.ts@gmail.com> wrote:
I have updated the table schema from the script to adjust the column length from the following script: lib/galaxy/model/mapping.py
Now my new registration passwords are encrypted with second layer of authentication using PBKDF2 new entry from the database table:
galaxy=# select username,email,password from galaxy_user where email = 'vipin@mail.com'; username | email | password ----------+----------------+----------------------------------------------------------------------- | vipin@mail.com | PBKDF2$sha256$10000$lv0RfxbU3SymKvEA$l4RH9f9xHrH4pcf9n6ELP1MWjG+hooEW
BUT now I am experiencing the problem with authenticating the newly registered user name. once I log out, I can’t log back in again – password invalid. This tells me there is something going on with the password hash/compare function.
Can you please guide through the right module to look for this,
Will be quite helpful, --/Vipin
I have started testing with creating a new user and the password hash created using new algorithm,
galaxy=# select username,email,password from galaxy_user where email = 'fmlmpg@gmail.com'; username | email | password ----------+------------------+------------------------------------------ | fmlmpg@gmail.com | PBKDF2$sha256$10000$e0DVCuGEua3ebxxU$Bh6
I have updated the length of password column to 80 characters in my table and still the stored password seems to be in 40 char long, I print the hash after creating the second hash (password -> sha1 hash 40 char long-> pbdkf2 hash 69 char long)
before storing into the database table, I believing the hash has been truncated, any idea what is happening here. I am not seeing any clue in the code.
thanks, Vipin
Thanks James, I have updated the password of one user in galaxy_user table with the new algorithm, I also adjusted the function "new_secure_hash" in /lib/galaxy/util/hash_util.py in such a way that it returns the new hash instead of sha1. Now I tried to login, it fails to get the account, I think there is something going wrong in the password hash comparison. Can you please assit here.
+++ b/lib/galaxy/util/hash_util.py Thu May 02 14:33:07 2013 -0400 @@ -25,13 +25,60 @@ Returns either a sha1 hash object (if called with no arguments), or a hexdigest of the sha1 hash of the argument `text_type`. """ + import hashlib + from os import urandom + from base64 import b64encode, b64decode + from itertools import izip + from pbkdf2 import pbkdf2_bin + + SALT_LENGTH = 12 + KEY_LENGTH = 24 + HASH_FUNCTION = 'sha256' + COST_FACTOR = 10000 + if text_type: + #return sha1( text_type ).hexdigest() + + sec_hash_1 = sha1( text_type ).hexdigest() + + if isinstance(sec_hash_1, unicode): + sec_hash_1 = sec_hash_1.encode('utf-8') + salt = b64encode(urandom(SALT_LENGTH)) + + return 'PBKDF2${0}${1}${2}${3}'.format( + HASH_FUNCTION, + COST_FACTOR, + salt, + b64encode(pbkdf2_bin(sec_hash_1, salt, COST_FACTOR, KEY_LENGTH, getattr(hashlib, HASH_FUNCTION))))
thanks, Vipin
That should be the only place, it is called from the some methods of the User model object. So you could modify it to always hash new passwords in a different way, but check old passwords with sha1 first, then something else.
Although it might be nice to move the functionality into security.validate_user_input since it is really specific to user passwords, especially with those changes.
I'd be happy to see this go into main with sha256 or something similar. Also, we could consider adding a random per-user salt field if you are really concerned about this.
-- James Taylor, Assistant Professor, Biology/CS, Emory University
On Thu, May 2, 2013 at 10:21 AM, Vipin TS <vipin.ts@gmail.com> wrote:
Hello dev-team, I would like to add the different type of password encryption to the users in my galaxy instance. I started working with the current password encoding script: /home/apps/galaxy-dist/lib/galaxy/util/hash_util.py
I will keep the current sha1 and add another layer of encryption to the sha1 hash, otherwise I need to force all my users to change the password and follow the new hashing method.
Can anyone please point me any other place/script which I missed regarding the encryption/decryption of user authentication.
thanks in advance, --/Vipin
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
Vipin, I think the main problem here is that you cannot treat PBKDF2 as a hash in this way. Every time you hash the same password you get a different result because you are generating a new random salt. Instead, you need to decode the in database representation to extract the salt and then do a comparison on the hashed part. I have this working in a backward compatible way, and I think it is a good idea so I will be committing it to central shortly. -- James Taylor, Assistant Professor, Biology/CS, Emory University On Thu, May 2, 2013 at 2:34 PM, Vipin TS <vipin.ts@gmail.com> wrote:
Thanks James, I have updated the password of one user in galaxy_user table with the new algorithm, I also adjusted the function "new_secure_hash" in /lib/galaxy/util/hash_util.py in such a way that it returns the new hash instead of sha1. Now I tried to login, it fails to get the account, I think there is something going wrong in the password hash comparison. Can you please assit here.
+++ b/lib/galaxy/util/hash_util.py Thu May 02 14:33:07 2013 -0400 @@ -25,13 +25,60 @@ Returns either a sha1 hash object (if called with no arguments), or a hexdigest of the sha1 hash of the argument `text_type`. """ + import hashlib + from os import urandom + from base64 import b64encode, b64decode + from itertools import izip + from pbkdf2 import pbkdf2_bin + + SALT_LENGTH = 12 + KEY_LENGTH = 24 + HASH_FUNCTION = 'sha256' + COST_FACTOR = 10000 + if text_type: + #return sha1( text_type ).hexdigest() + + sec_hash_1 = sha1( text_type ).hexdigest() + + if isinstance(sec_hash_1, unicode): + sec_hash_1 = sec_hash_1.encode('utf-8') + salt = b64encode(urandom(SALT_LENGTH)) + + return 'PBKDF2${0}${1}${2}${3}'.format( + HASH_FUNCTION, + COST_FACTOR, + salt, + b64encode(pbkdf2_bin(sec_hash_1, salt, COST_FACTOR, KEY_LENGTH, getattr(hashlib, HASH_FUNCTION))))
thanks, Vipin
That should be the only place, it is called from the some methods of the User model object. So you could modify it to always hash new passwords in a different way, but check old passwords with sha1 first, then something else.
Although it might be nice to move the functionality into security.validate_user_input since it is really specific to user passwords, especially with those changes.
I'd be happy to see this go into main with sha256 or something similar. Also, we could consider adding a random per-user salt field if you are really concerned about this.
-- James Taylor, Assistant Professor, Biology/CS, Emory University
On Thu, May 2, 2013 at 10:21 AM, Vipin TS <vipin.ts@gmail.com> wrote:
Hello dev-team, I would like to add the different type of password encryption to the users in my galaxy instance. I started working with the current password encoding script: /home/apps/galaxy-dist/lib/galaxy/util/hash_util.py
I will keep the current sha1 and add another layer of encryption to the sha1 hash, otherwise I need to force all my users to change the password and follow the new hashing method.
Can anyone please point me any other place/script which I missed regarding the encryption/decryption of user authentication.
thanks in advance, --/Vipin
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
Rather than committing this directly I created the following pull request: https://bitbucket.org/galaxy/galaxy-central/pull-request/165/password-securi... It would be great if a couple of people could sign-off on it before merging. I don't think I'm doing anything stupid, but a sanity check is appreciated. -- James Taylor, Assistant Professor, Biology/CS, Emory University On Sun, May 5, 2013 at 12:12 PM, James Taylor <james@jamestaylor.org> wrote:
Vipin, I think the main problem here is that you cannot treat PBKDF2 as a hash in this way. Every time you hash the same password you get a different result because you are generating a new random salt. Instead, you need to decode the in database representation to extract the salt and then do a comparison on the hashed part.
I have this working in a backward compatible way, and I think it is a good idea so I will be committing it to central shortly.
-- James Taylor, Assistant Professor, Biology/CS, Emory University
On Thu, May 2, 2013 at 2:34 PM, Vipin TS <vipin.ts@gmail.com> wrote:
Thanks James, I have updated the password of one user in galaxy_user table with the new algorithm, I also adjusted the function "new_secure_hash" in /lib/galaxy/util/hash_util.py in such a way that it returns the new hash instead of sha1. Now I tried to login, it fails to get the account, I think there is something going wrong in the password hash comparison. Can you please assit here.
+++ b/lib/galaxy/util/hash_util.py Thu May 02 14:33:07 2013 -0400 @@ -25,13 +25,60 @@ Returns either a sha1 hash object (if called with no arguments), or a hexdigest of the sha1 hash of the argument `text_type`. """ + import hashlib + from os import urandom + from base64 import b64encode, b64decode + from itertools import izip + from pbkdf2 import pbkdf2_bin + + SALT_LENGTH = 12 + KEY_LENGTH = 24 + HASH_FUNCTION = 'sha256' + COST_FACTOR = 10000 + if text_type: + #return sha1( text_type ).hexdigest() + + sec_hash_1 = sha1( text_type ).hexdigest() + + if isinstance(sec_hash_1, unicode): + sec_hash_1 = sec_hash_1.encode('utf-8') + salt = b64encode(urandom(SALT_LENGTH)) + + return 'PBKDF2${0}${1}${2}${3}'.format( + HASH_FUNCTION, + COST_FACTOR, + salt, + b64encode(pbkdf2_bin(sec_hash_1, salt, COST_FACTOR, KEY_LENGTH, getattr(hashlib, HASH_FUNCTION))))
thanks, Vipin
That should be the only place, it is called from the some methods of the User model object. So you could modify it to always hash new passwords in a different way, but check old passwords with sha1 first, then something else.
Although it might be nice to move the functionality into security.validate_user_input since it is really specific to user passwords, especially with those changes.
I'd be happy to see this go into main with sha256 or something similar. Also, we could consider adding a random per-user salt field if you are really concerned about this.
-- James Taylor, Assistant Professor, Biology/CS, Emory University
On Thu, May 2, 2013 at 10:21 AM, Vipin TS <vipin.ts@gmail.com> wrote:
Hello dev-team, I would like to add the different type of password encryption to the users in my galaxy instance. I started working with the current password encoding script: /home/apps/galaxy-dist/lib/galaxy/util/hash_util.py
I will keep the current sha1 and add another layer of encryption to the sha1 hash, otherwise I need to force all my users to change the password and follow the new hashing method.
Can anyone please point me any other place/script which I missed regarding the encryption/decryption of user authentication.
thanks in advance, --/Vipin
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
Thanks James! I have pulled the recent changes to my repository and this is working fine. I have tested with creating a new user and I tried to login with the recently created user and this works fine at my end. The entry looks like as follows: galaxy=# select username,email,password from galaxy_user where email = ' cbio@gmail.com'; username | email | password ----------+----------------+----------------------------------------------------------------------- cbio | cbio@gmail.com | PBKDF2$sha256$10000$7CWpfEOjZ3xmRH6b$ufFHb8Ax9GkVBGmnR5fq159NA3C4F6o0 This works fine. With this new implementation, the new registration password hashes are generated in PBKDF2. May be one can force the existing users to reset the password, so that all users password will be updated in the table. As you mentioned in the previous mail, because of random salt generation in the password hashing step, I don't think I can take all of the existing user’s SHA-1 hashes, run them through the algorithm and replace them with the updated hashes. I thought this would be transparent to the users instead of forcing to reset the password. any thoughts on this? Thank you for timely help, --Vipin Rather than committing this directly I created the following pull request:
https://bitbucket.org/galaxy/galaxy-central/pull-request/165/password-securi...
It would be great if a couple of people could sign-off on it before merging. I don't think I'm doing anything stupid, but a sanity check is appreciated.
-- James Taylor, Assistant Professor, Biology/CS, Emory University
Vipin, I think the main problem here is that you cannot treat PBKDF2 as a hash in this way. Every time you hash the same password you get a different result because you are generating a new random salt. Instead, you need to decode the in database representation to extract the salt and then do a comparison on the hashed part.
I have this working in a backward compatible way, and I think it is a good idea so I will be committing it to central shortly.
-- James Taylor, Assistant Professor, Biology/CS, Emory University
On Thu, May 2, 2013 at 2:34 PM, Vipin TS <vipin.ts@gmail.com> wrote:
Thanks James, I have updated the password of one user in galaxy_user
with the new algorithm, I also adjusted the function "new_secure_hash" in /lib/galaxy/util/hash_util.py in such a way that it returns the new hash instead of sha1. Now I tried to login, it fails to get the account, I think there is something going wrong in the password hash comparison. Can you please assit here.
+++ b/lib/galaxy/util/hash_util.py Thu May 02 14:33:07 2013 -0400 @@ -25,13 +25,60 @@ Returns either a sha1 hash object (if called with no arguments), or a hexdigest of the sha1 hash of the argument `text_type`. """ + import hashlib + from os import urandom + from base64 import b64encode, b64decode + from itertools import izip + from pbkdf2 import pbkdf2_bin + + SALT_LENGTH = 12 + KEY_LENGTH = 24 + HASH_FUNCTION = 'sha256' + COST_FACTOR = 10000 + if text_type: + #return sha1( text_type ).hexdigest() + + sec_hash_1 = sha1( text_type ).hexdigest() + + if isinstance(sec_hash_1, unicode): + sec_hash_1 = sec_hash_1.encode('utf-8') + salt = b64encode(urandom(SALT_LENGTH)) + + return 'PBKDF2${0}${1}${2}${3}'.format( + HASH_FUNCTION, + COST_FACTOR, + salt, + b64encode(pbkdf2_bin(sec_hash_1, salt, COST_FACTOR, KEY_LENGTH, getattr(hashlib, HASH_FUNCTION))))
thanks, Vipin
That should be the only place, it is called from the some methods of the User model object. So you could modify it to always hash new passwords in a different way, but check old passwords with sha1 first, then something else.
Although it might be nice to move the functionality into security.validate_user_input since it is really specific to user passwords, especially with those changes.
I'd be happy to see this go into main with sha256 or something similar. Also, we could consider adding a random per-user salt field if you are really concerned about this.
-- James Taylor, Assistant Professor, Biology/CS, Emory University
On Thu, May 2, 2013 at 10:21 AM, Vipin TS <vipin.ts@gmail.com> wrote:
Hello dev-team, I would like to add the different type of password encryption to the users in my galaxy instance. I started working with the current password encoding script: /home/apps/galaxy-dist/lib/galaxy/util/hash_util.py
I will keep the current sha1 and add another layer of encryption to
On Sun, May 5, 2013 at 12:12 PM, James Taylor <james@jamestaylor.org> wrote: table the
sha1 hash, otherwise I need to force all my users to change the password and follow the new hashing method.
Can anyone please point me any other place/script which I missed regarding the encryption/decryption of user authentication.
thanks in advance, --/Vipin
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
I thought this would be transparent to the users instead of forcing to reset the password.
Two thoughts... but please consider that I might not know what I am talking about, and that these might not be good ideas ... (1) James' implementation supports two hashing schemes in the table. Couldn't you add a third, which would apply PBKDF2 to the older SHA-1 values (instead of two the clear text)? This would allow you to update the table to convert existing passwords to PBKDF2(SHA-1) and immediately get the security upgrade I think you're after. (2) Seems like you could automatically change the table entry to PBKDF2 the next time the user logs in. E.g. in check password, if the existing password is SHA-1, or PBKDF2(SHA-1), and the guess is successful, use to guess to create PBKDF2(guess) replacement in the table. Note that I don't know enough about galaxy to know if the table could be altered at that point/environment. Bob H On May 6, 2013, at 11:17 AM, Vipin TS wrote:
Thanks James!
I have pulled the recent changes to my repository and this is working fine. I have tested with creating a new user and I tried to login with the recently created user and this works fine at my end. The entry looks like as follows:
galaxy=# select username,email,password from galaxy_user where email = 'cbio@gmail.com'; username | email | password ----------+---------------- + ----------------------------------------------------------------------- cbio | cbio@gmail.com | PBKDF2$sha256$10000$7CWpfEOjZ3xmRH6b $ufFHb8Ax9GkVBGmnR5fq159NA3C4F6o0
This works fine.
With this new implementation, the new registration password hashes are generated in PBKDF2. May be one can force the existing users to reset the password, so that all users password will be updated in the table. As you mentioned in the previous mail, because of random salt generation in the password hashing step, I don't think I can take all of the existing user’s SHA-1 hashes, run them through the algorithm and replace them with the updated hashes. I thought this would be transparent to the users instead of forcing to reset the password.
any thoughts on this?
Thank you for timely help, --Vipin
Rather than committing this directly I created the following pull request:
https://bitbucket.org/galaxy/galaxy-central/pull-request/165/password-securi...
It would be great if a couple of people could sign-off on it before merging. I don't think I'm doing anything stupid, but a sanity check is appreciated.
-- James Taylor, Assistant Professor, Biology/CS, Emory University
Vipin, I think the main problem here is that you cannot treat PBKDF2 as a hash in this way. Every time you hash the same password you get a different result because you are generating a new random salt. Instead, you need to decode the in database representation to extract the salt and then do a comparison on the hashed part.
I have this working in a backward compatible way, and I think it is a good idea so I will be committing it to central shortly.
-- James Taylor, Assistant Professor, Biology/CS, Emory University
On Thu, May 2, 2013 at 2:34 PM, Vipin TS <vipin.ts@gmail.com> wrote:
Thanks James, I have updated the password of one user in
galaxy_user table
with the new algorithm, I also adjusted the function "new_secure_hash" in /lib/galaxy/util/hash_util.py in such a way that it returns the new hash instead of sha1. Now I tried to login, it fails to get the account, I think there is something going wrong in the password hash comparison. Can you please assit here.
+++ b/lib/galaxy/util/hash_util.py Thu May 02 14:33:07 2013 -0400 @@ -25,13 +25,60 @@ Returns either a sha1 hash object (if called with no arguments), or a hexdigest of the sha1 hash of the argument `text_type`. """ + import hashlib + from os import urandom + from base64 import b64encode, b64decode + from itertools import izip + from pbkdf2 import pbkdf2_bin + + SALT_LENGTH = 12 + KEY_LENGTH = 24 + HASH_FUNCTION = 'sha256' + COST_FACTOR = 10000 + if text_type: + #return sha1( text_type ).hexdigest() + + sec_hash_1 = sha1( text_type ).hexdigest() + + if isinstance(sec_hash_1, unicode): + sec_hash_1 = sec_hash_1.encode('utf-8') + salt = b64encode(urandom(SALT_LENGTH)) + + return 'PBKDF2${0}${1}${2}${3}'.format( + HASH_FUNCTION, + COST_FACTOR, + salt, + b64encode(pbkdf2_bin(sec_hash_1, salt, COST_FACTOR, KEY_LENGTH, getattr(hashlib, HASH_FUNCTION))))
thanks, Vipin
That should be the only place, it is called from the some methods of the User model object. So you could modify it to always hash new passwords in a different way, but check old passwords with sha1 first, then something else.
Although it might be nice to move the functionality into security.validate_user_input since it is really specific to user passwords, especially with those changes.
I'd be happy to see this go into main with sha256 or something similar. Also, we could consider adding a random per-user salt field if you are really concerned about this.
-- James Taylor, Assistant Professor, Biology/CS, Emory University
On Thu, May 2, 2013 at 10:21 AM, Vipin TS <vipin.ts@gmail.com> wrote:
Hello dev-team, I would like to add the different type of password encryption to the users in my galaxy instance. I started working with the current
encoding script: /home/apps/galaxy-dist/lib/galaxy/util/hash_util.py
I will keep the current sha1 and add another layer of encryption to the sha1 hash, otherwise I need to force all my users to change the
On Sun, May 5, 2013 at 12:12 PM, James Taylor <james@jamestaylor.org> wrote: password password and
follow the new hashing method.
Can anyone please point me any other place/script which I missed regarding the encryption/decryption of user authentication.
thanks in advance, --/Vipin
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
participants (3)
-
Bob Harris -
James Taylor -
Vipin TS