The authentication with ep_hash_auth does not work #8
Comments
|
It should be sufficient to create hash files, and then there is no need to additionally specify them in settings.json. The usual use case is you either specify it as a file or as an entry under the user's username. ... The ep_hash_auth section of the config is not part of the users section! If placed under users it will assume an user called ep_hash_auth and won't configure the system. This is why your config is not working. |
|
Thanks @LaKing for taking time to help / advise. We're promoting ep_hash_auth to all users now on first run so it could be that usage goes up and ergo user issues so thanks for handling them! 👍 |
Thank you for your answer but it doesn't work either. Could there be an issue with python3? Cause GitHub generates the hashes with python? |
|
Running Etherpad-lite 1.8.4 with ep_hash_auth 3.0.1 I can confirm that user authentication using "ep_hash_auth" doesn't work. With settins.json with 'ep_hash_auth' configuration, in logs I can see:
When 'ep_hash_auth' is commented out and 'users' configuration is populated with users data in config.json everything is working as expected. |
|
I'm gonna try find time to bring ep_hash_auth into the Etherpad tests so we test functionality on commit. |
|
@nscomputing for now, try latest develop branch to see if it works |
Thanks for reply. Will try to find some time tomorrow to try etherpad-lite develop branch. |
|
Just tried the latest etherpad-lite develop branch. When users blob with hashes is in the settings.json authentication works.
and authentication failed. |
|
I have a similar issue of not understanding how this should be configured correctly.
If I do this I still get the console message about "Admin username and password not set in settings.json". Also the only way I was able to get the whole thing to even allow me to login was to edit the following line in ep_hash_auth.js:
to:
Because no matter whichever way I tried to add hashes to .hash, they would always appear with a newline when compared, which caused the authentication to fail. I could use If I try to login as a user and purposely enter the wrong password I see:
This happens for all users except admin. For admin it either gives 'no such user' or 'incorrect password' I don't know why sometimes it is one and sometimes the other.. I also don't understand how to only allow one user to be admin and the rest not to be. If I set hash_adm to true then everyone is admin and if I set it to false no one is admin. The only way I can think of would be to edit ep_hash_auth.js some more to either check if a user is named admin to change hash_adm to true. I don't know why I get these issues and others do not. I'm obviously doing something very wrong but I don't know what that is. Thanks for any help that can be provided. |
I am getting the exact same issues and going to submit a PR for this right now. |
I have found the source of the problem. I was doing two (2) different things in order to create the
vi/m will append try to a newline to the end of the data in the file. You can confirm this by using
The solution is to use the Let me know if that helps! Will |
|
Your mistake is that you use sha512 in your configuration, but use a bcrypt hash. The README is somewhat unclear about this, because it does not explain how to change which type of hash to use, but it does show how to generate various hashes, but does not show how to generate a sha512 hash. At the same time, @hawkinsw is also right that it's important to make sure the |
|
Even considering the above comments on ensuring that the hash is created on a password without a newline, and matching the configured hash function with the actually-used hash function, I am still experiencing issues with If I put the hash with the user's settings in |
|
I've been following this thread to solve my issues with ep_hash_auth plugin. Having the following configured in settings.json: "users": {
"admin": {
"password": "${ADMIN_PASSWORD:null}",
"is_admin": true
}
},
"ep_hash_auth": {
"hash_typ": "sha512",
"hash_dig": "hex",
"hash_dir": "/opt/etherpad-lite/users",
"hash_ext": "/.hash",
"hash_adm": false,
"displayname_ext": "/.displayname"
},For example, for user
python -c 'import bcrypt; print(bcrypt.hashpw(b"password", bcrypt.gensalt(rounds=10, prefix=b"2a")))'Output:
echo -n '$2a$10$ttmrfYu7414jsKsUPiyOmOW2OXivLfr5ZHAbSOIU8HyjT0j9E/49e' /opt/etherpad-lite/users/gus/.hashThe important thing about the single quotes is that they do not resolve any character within the string. If you use double quotes: echo -n "$2a$10$ttmrfYu7414jsKsUPiyOmOW2OXivLfr5ZHAbSOIU8HyjT0j9E/49e"the hash gets re-encoded, and the output would look like: a0/lByWLFeTJJSH4eIZYYcCE15aUlBpAQNA9xQYaawhich alters the hash structure and the auth triggers a Failed authentication from IP error. As you can see, the user |
Hello,
I have following issue, I set up an CentOS Server with nginx, nodejs and etherpad. Everything works fine but I struggle with the configuration of ep_hash auth.
I set it up like GitHub said and I can generate hashes with bcrypt. My Users are stored in /var/etherpad/users/username/.hash the Hash is in the .Hash file and the User who runs etherpad is the owner of that directory. In the Etherpad settings.json I changed the "requireAuthentication to true and made created the Usernames like GitHub said.
What I am doing is, I create the hash for a password create the directory and store the hash in the .hash file. Then I create the User in the etherpad settings.json like
"username": {"is_admin": true, "hash": "b'$2a$10$cyh661 ... Z9vyYFQbDK'"} is it correct to split the hash with dots or should I enter the full hash?
I also added this in my settings.json right under the point "users"
"ep_hash_auth": {
"hash_typ": "sha512",
"hash_dig": "hex",
"hash_dir": "/var/etherpad/users",
"hash_ext": "/.hash",
"hash_adm": false,
"displayname_ext": "/.displayname"
},
It would be really great if somebody could help me or maybe explain how he is working with the ep_hash_auth plugin.
Thank you in advance
The text was updated successfully, but these errors were encountered: