Moodle External Database Authentication With Salt Hashing

Moodle External Database Authentication With Salt Hashing

by Luis Oliveira -
Number of replies: 3

Hi, I'm setting up Moodle 3.0 to allow users from my CMS (developed using the framework CakePHP 2.6) to login into Moodle. The two databases are on the same server. I'm using the option "External Database" from Moodle, it seems to be the easiest solution to set up.

According to Moodle Docs the script /path/to/moodle/auth/db/cli/sync_users.php imports the users from the external database (CMS) to Moodle, this works perfectly, but the login into Moodle using the credentials (username and password) from the external database doesn't work.

I think the problem might be the "Format password" (I'm using SHA-1 hash) in "External Database" setup. Because in CakePHP there's password hashing (SHA1 using salt). When I set "Format password" to "Plain text" it works, but that's not what I want. There's some way to solve this?

Links:

https://docs.moodle.org/27/en/External_database_authentication

https://docs.moodle.org/30/en/Password_salting

Average of ratings: -
In reply to Luis Oliveira

Re: Moodle External Database Authentication With Salt Hashing

by Luis Oliveira -

I've came up with a solution to my problem, but I had to change just one line of the Moodle's code, something I was trying to avoid. I've tried the "Format password" to "Crypt one-way hashing" option, but no success.

CakePHP on my server is hashing the password this way:


$string = $salt_key . $password;

sha1($string);


So in Moodle authentication with "External Database" I've changed the file /path/to/moodle/auth/db/auth.php and added the following:


// I've just add this line:

// $extpassword = '<your_salt_key_here>' . $extpassword;

if ($this->config->passtype === 'plaintext') {

    return ($fromdb == $extpassword);

} else if ($this->config->passtype === 'md5') {

    return (strtolower($fromdb) == md5($extpassword));

} else if ($this->config->passtype === 'sha1') {

    $extpassword = '<your_salt_key_here>' . $extpassword; // Add this line

    return (strtolower($fromdb) == sha1($extpassword));

} else if ($this->config->passtype === 'saltedcrypt') {

    require_once($CFG->libdir.'/password_compat/lib/password.php');

    return password_verify($extpassword, $fromdb);

} else {

    return false;

}

Average of ratings: -
In reply to Luis Oliveira

Re: Moodle External Database Authentication With Salt Hashing

by John Okely -

Do you see the option to choose salted crypt? It was added in 2.9

Unfortunately google often gives results for old documentation. See the 3.0 docs: https://docs.moodle.org/30/en/External_database_authentication#Additional_Notes

Average of ratings: -
In reply to John Okely

Re: Moodle External Database Authentication With Salt Hashing

by Luis Oliveira -

Yes I did, but it didn't work. Thanks!

Average of ratings: -