Redmine

When all else fails, refer to source:

https://bitbucket.org/redmine/redmine-all/src/c06f74894d2c/app/models/user.rb#cl-253

self.hashed_password = User.hash_password("#{salt}#{User.hash_password clear_password}")

In ruby:

#{salt} == salt value.

#{User.hash_password clear_password} == call method User.hash_password with clear_password as the param.

All this is wrapped in another User.hash_password, so it runs an SHA1 hash again.

Or as I pointed out in PHP:

sha1($salt . sha1($password));

Thanks for the quick reply!

I a not quite clear on how the parameters are formated as a string bevor they are passed to the User.hash_password function.

I'll try to make the question clearer:
How is $salt formated for the string concatination? As a number in hex, like it is saved in the database?
Similar question: Does User.hash_password return the hash-result as a string or a number? If it is a number, is it formated in hex or in dec?

Christoph Keimel wrote:

Thanks for the quick reply!

I a not quite clear on how the parameters are formated as a string bevor they are passed to the User.hash_password function.

I'll try to make the question clearer:
How is $salt formated for the string concatination? As a number in hex, like it is saved in the database?
Similar question: Does User.hash_password return the hash-result as a string or a number? If it is a number, is it formated in hex or in dec?

Salt is 16bytes of random hex, stored as a string in the database with the user's password.

User.hash_password uses Digest::SHA1.hexdigest which returns an SHA-1 hash (hex), return type is a string though.

Thanks. It's up und running.

If anyone should need this ... here is the Java equivalent for User.hash_password:

public static String sha1(String password) {
    try {
        MessageDigest md = MessageDigest.getInstance("SHA-1");
        byte[] hash = md.digest(password.getBytes());
        BigInteger bi = new BigInteger(1, hash);
        return String.format("%0" + (hash.length << 1) + "x", bi);
    } catch (NoSuchAlgorithmException e) {
        e.printStackTrace();
    }
    return null;
}

To create the hashed_password in Java you would call:

String hashed_password = sha1(salt + sha1(password));

How much of this is machine or OS dependent? We are trying to migrate a 2.6.x Redmine on CentOS to a 3.3.x on Ubuntu and we cannot get into the admin account.

I have the following BASH script to try to work out the new parameters

REDMINEPASS="<password>" 
REDMINESALT="<salt value from 2.6.x db>" 
TEMP1=`echo $REDMINEPASS | openssl sha1`

SHAPASS=`echo ${TEMP1:9}`  # openssl returns "(stdin)= " before the hash on the command line. Trim the first 9 bytes

HASH=`echo $REDMINESALT$SHAPASS | openssl sha1`

echo ${HASH:9}

Here is a little cleaner one using sha1sum. Note the two methods generate different results.

  SHAPASS=`echo $REDMINEPASS | sha1sum`
  HASH=`echo $REDMINESALT$SHAPASS | sha1sum`
  echo $HASH