http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611
--- Comment #42 from Chris Hall <[email protected]> --- Created attachment 17204 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=17204&action=edit Removing external dependency for password salting I have written a wrapper around /dev/urandom and /dev/random that will give back a specified number of bytes salting purposes, however this can be used anytime a pseudo-random number is needed within Koha. /dev/urandom should be sufficient for password general salting, /dev/random is more suited when higher entropy is needed (if we ever use server salts). This patch removes the Crypt::Random::Source dependency that was mentioned in the 'Updating dependencies' patch, it may be useful to squash this patch set down but I did not do so as I didn't want to remove authorship details. Testplan: In current master (before applying this patch) create a new user. Login to the koha mysql database (sudo koha-mysql instance) and run the following query: select userid, password from borrowers where userid='username'; The output should be something like: patron | vdpWxEZTtVVPhZSAq1NIMw Apply the patch series on this bug Change the users password from within koha (for testing it is fine to change it to the same password) Run the above query again and observe the output: patron | $2a$08$U93rGVfvcV0YUNhJY.so3OkNL46bGBrIR3ugyskXLIJY5aMD8ENme Notice that the new password is longer, but also that all passwords generated by this patch series should begin with '$2a$08$'. If we change the password again in the interface to the same password and run out database query again, we should get a different value in the password field (although it will still have the '$2a$08$' prefix). Attempt to login as the user using the password you just set. This patch series fails if any of the following occur: you cannot change a password you cannot login the new passwords (viewing them from within the database) do not start with "$2a$08$" changing the password twice to the same value (say, "testing") results in the same password value being stored in the database Otherwise it is a pass. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
