Using a password that is stored in the database as a hash of the password+salt (bugzilla, subversion, Cyrus-SASL integration)

Hey all,

My goal is to have Subversion and Bugzilla share the same users by
pointing Subversion to Cyrus-SASL and pointing Cyrus-SASL at the
bugzilla database. I have spent enough time searching the internet,
reading the manuals, and reading posts to know that there isn't a simple
answer to this in a doc.

Seems to me there should be a post somewhere called: How to make
subversion and bugzilla share users? It seems it would be a common
configuration to me but maybe it is not.

I have Cyrus-Sasl successfully using a database if the password field is
clear text. Subversion is successfully configured to use Cyrus-SASL and
authentication works with this Cyrus-SASL config.

However, Bugzilla creates an SHA256 hash as well as appends two strings:

1. It salts the password before hashing. (I am still researching this)
2. It appends the following string to the stored hash: {SHA256}

Is there a way to make Cyrus-SASL use the MD5, SHA1, or SHA256 hash
instead of clear text?
(In this case it is SHA256)

Is there a way to handle the appended string: {SHA256}

Here is my setup clear text setup that works with a clear text database:
FreeBSD 7.2
cyrus-sasl-2.1.23
subversion-1.6.6

Here is a file that works with a Clear Text password:

# svn.conf.ClearTextDatabasePassword
log_level: 7
pwcheck_method: auxprop
mech_list: plain sha1
auxprop_plugin: sql
sql_hostnames: localhost
sql_engine: mysql
sql_user: root
sql_passwd: pw
sql_database: UserDB
sql_select: SELECT password FROM users WHERE username='%u'

I have been through the documentation and I thought maybe it was sql_mda
but that didn't work when I added this line:
sql_mda=sha1

Bugzilla has a table called "profiles" with two interesting columns:

login_name cryptpassword
user1_at_domain.tld
CLm15URgJ3uFYDG5pz9mO2vtxJ3PVKZlrpnLT2h8HJqMwO33ML0{SHA-256}
user2_at_domain.tld
oToF0zutirqQXF6BbuAPljJkGaupY5KhHjGPPB8qC9QPkWOEcs0{SHA-256}

Here is what I have to try to work with Bugzilla:

# svn.conf.ClearTextDatabasePassword
log_level: 7
pwcheck_method: auxprop
mech_list: plain sha1
auxprop_plugin: sql
sql_hostnames: localhost
sql_engine: mysql
sql_user: root
sql_passwd: pw
sql_database: bugzilladb
sql_select: SELECT cryptpassword FROM profiles WHERE login_name='%u'

Here is a sample result of that query:

SELECT cryptpassword FROM profiles WHERE login_name=user1_at_domain.tld'
    -> ;
+--------------------------------------------------------------+
| cryptpassword |
+--------------------------------------------------------------+
| CLm15URgJ3uFYDG5pz9mO2vtxJ3PVKZlrpnLT2h8HJqMwO33ML0{SHA-256} |
+--------------------------------------------------------------+
1 row in set (0.00 sec)

So the password is going to be passed in clear text to Cyrus-SASL. The
database is going to return a SHA256 hash of the password with this
string appended to it: {SHA-256}

So the password, I assume, does a string compare. Such a compare is
currently going to look like this, which obviously doesn't work:

        ClearTextPassword ==
oToF0zutirqQXF6BbuAPljJkGaupY5KhHjGPPB8qC9QPkWOEcs0{SHA-256}

I am fuzzy on who compares the password strings: Cyrus-SASL or
Subversion. It seems to me that Cyrus-SASL does.

So I need Cyrus-SASL to
1) obtain the salt
2) hash the password + salt
3) append the string {SHA-256}

1. Does Cyrus-SASL or Subversion handle the password comparison?

If Cyrus-SASL
- Can Cyrus-SASL do these two things (HASH and appended string) without
a code change?

If Subversion
- It seems the subversion code would have to be changed to support this
cause from what I have read it doesn't.

Anyway, if I get this figured out, I promise to create that a post on my
blog so no one ever asks this question again.

If I can't figure it out, I will probably setting for pointing them both
to active directory.

Thanks,

Jared Barneck
http://Rhyous.com
Received on 2010-04-17 04:54:26 CEST