I am getting envolved with Koha (19.05 on Debian 10) since last november. I am contributing in
translation too, and digging BD, and scripts... Right now I have a new
challenge: I need to know which method the system apply to encrypt
borrowers' passwords. I know that uses Bcrypt 8, but the stored encrypted
string does not match with typed string. Some clue???
Thanks in advance.
I am getting envolved with Koha since last november. I am contributing in
> translation too, and digging BD, and scripts... Right now I have a new
> challenge: I need to know which method the system apply to encrypt
> borrowers' passwords. I know that uses Bcrypt 8, but the stored encrypted
> string does not match with typed string. Some clue???
What kind of match do you expect?
Try the following (using a Koha user shell) to see what an encrypted
password will look like
Let me explain because uncode/decode passwords is a sensitive subject. First
of all we know that is impossible reverse the password stored because bcrypt
is a one-way method. My needs is that I have a system, still in use, that
has some tools wroten by myself in php etc. They are to print labels,
meeting room agenda etc.
Me and my staff have access to this program by username & password, but I
would like to validate that access with username & password stored in Koha
db. So, all we would have just one account to manage.
But really thanks for your reply.
P.S If we use a online Bcrypt generator (e.g.
https://www.browserling.com/tools/bcrypt), and put, like your example,
"clearpass" (using Rounds 8 - 'cause chars 03-05 is "$08" in encrypted
string) we get another result compared with Koha::AuthUtils. Why? Because
Koha has something more (a salt) that goes along with our phrase pass when
creating the hash (crypted string).
# Generate the hash
my $hashed_pwd = Koha::AuthUtils::hash_password('Your password');
# Compare it with a new login
my $login_pwd = 'Your password';
say C4::Auth::checkpw_hash( $login_pwd, $hashed_pwd );
my $wrong_pwd = 'wrong';
say C4::Auth::checkpw_hash( $wrong_pwd, $hashed_pwd );