I have updated the table schema from the script to adjust the column length
from the following script:
lib/galaxy/model/mapping.py
Now my new registration passwords are encrypted with second layer of
authentication using PBKDF2
new entry from the database table:
galaxy=# select username,email,password from galaxy_user where email = '
vi...@mail.com';
username | email | password
----------+----------------+-----------------------------------------------------------------------
| vi...@mail.com |
PBKDF2$sha256$10000$lv0RfxbU3SymKvEA$l4RH9f9xHrH4pcf9n6ELP1MWjG+hooEW
BUT now I am experiencing the problem with authenticating the newly
registered user name. once I log out,
I can’t log back in again – password invalid. This tells me there is
something going on with the password hash/compare
function.
Can you please guide through the right module to look for this,
Will be quite helpful,
--/Vipin
I have started testing with creating a new user and the password hash
> created using new algorithm,
>
> galaxy=# select username,email,password from galaxy_user where email = '
> fml...@gmail.com';
> username | email | password
> ----------+------------------+------------------------------------------
> | fml...@gmail.com | PBKDF2$sha256$10000$e0DVCuGEua3ebxxU$Bh6
>
> I have updated the length of password column to 80 characters in my table
> and still the stored password
> seems to be in 40 char long, I print the hash after creating the second
> hash (password -> sha1 hash 40 char long-> pbdkf2 hash 69 char long)
>
> before storing into the database table, I believing the hash has
> been truncated, any idea what is happening here.
> I am not seeing any clue in the code.
>
> thanks, Vipin
>
>
>> Thanks James, I have updated the password of one user in galaxy_user
>> table with the new algorithm,
>> I also adjusted the function "new_secure_hash"
>> in /lib/galaxy/util/hash_util.py in such a way that it returns
>> the new hash instead of sha1. Now I tried to login, it fails to get the
>> account, I think there is something going
>> wrong in the password hash comparison. Can you please assit here.
>>
>> +++ b/lib/galaxy/util/hash_util.py Thu May 02 14:33:07 2013 -0400
>> @@ -25,13 +25,60 @@
>> Returns either a sha1 hash object (if called with no arguments), or a
>> hexdigest of the sha1 hash of the argument `text_type`.
>> """
>> + import hashlib
>> + from os import urandom
>> + from base64 import b64encode, b64decode
>> + from itertools import izip
>> + from pbkdf2 import pbkdf2_bin
>> +
>> + SALT_LENGTH = 12
>> + KEY_LENGTH = 24
>> + HASH_FUNCTION = 'sha256'
>> + COST_FACTOR = 10000
>> +
>> if text_type:
>> + #return sha1( text_type ).hexdigest()
>> +
>> + sec_hash_1 = sha1( text_type ).hexdigest()
>> +
>> + if isinstance(sec_hash_1, unicode):
>> + sec_hash_1 = sec_hash_1.encode('utf-8')
>> + salt = b64encode(urandom(SALT_LENGTH))
>> +
>> + return 'PBKDF2${0}${1}${2}${3}'.format(
>> + HASH_FUNCTION,
>> + COST_FACTOR,
>> + salt,
>> + b64encode(pbkdf2_bin(sec_hash_1, salt, COST_FACTOR,
>> KEY_LENGTH, getattr(hashlib, HASH_FUNCTION))))
>>
>>
>> thanks, Vipin
>>
>>
>> That should be the only place, it is called from the some methods of
>>> the User model object. So you could modify it to always hash new
>>> passwords in a different way, but check old passwords with sha1 first,
>>> then something else.
>>>
>>> Although it might be nice to move the functionality into
>>> security.validate_user_input since it is really specific to user
>>> passwords, especially with those changes.
>>>
>>> I'd be happy to see this go into main with sha256 or something
>>> similar. Also, we could consider adding a random per-user salt field
>>> if you are really concerned about this.
>>>
>>> --
>>> James Taylor, Assistant Professor, Biology/CS, Emory University
>>>
>>>
>>> On Thu, May 2, 2013 at 10:21 AM, Vipin TS <vipin...@gmail.com> wrote:
>>> > Hello dev-team,
>>> > I would like to add the different type of password encryption to the
>>> users
>>> > in my galaxy instance. I started working with the current password
>>> encoding
>>> > script:
>>> > /home/apps/galaxy-dist/lib/galaxy/util/hash_util.py
>>> >
>>> > I will keep the current sha1 and add another layer of encryption to
>>> the sha1
>>> > hash, otherwise I need to force all my users to change the password and
>>> > follow the new hashing method.
>>> >
>>> > Can anyone please point me any other place/script which I missed
>>> regarding
>>> > the encryption/decryption of user authentication.
>>> >
>>> > thanks in advance,
>>> > --/Vipin
>>> >
>>> >
>>> > ___________________________________________________________
>>> > Please keep all replies on the list by using "reply all"
>>> > in your mail client. To manage your subscriptions to this
>>> > and other Galaxy lists, please use the interface at:
>>> > http://lists.bx.psu.edu/
>>> >
>>> > To search Galaxy mailing lists use the unified search at:
>>> > http://galaxyproject.org/search/mailinglists/
>>>
>>
>>
>
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client. To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at:
http://galaxyproject.org/search/mailinglists/
