AuthMe with IPB4

[Feerko]

No description provided.

[ljacqu]

Looks like IPB4 does password hashing differently from IPB3. Could you maybe register a test user with "password" and then tell us the hash that it generated in the database? That way we can test against it if we decide to add IPB4 support to AuthMe.

---

Edit: Found the following snippet while doing some searches

function check_ipb4($password, $user)
{
    if($user['passwordconvert'] == crypt($password, '$2a$13$'.$user['passwordconvertsalt']))
    {
        return true;
    }

    return false;
}

from https://raw.githubusercontent.com/mybb/merge-system/feature/loginconvert.php
Also this https://github.com/EQdkpPlus/core/blob/master/core/bridges/ipb4.bridge.class.php

[ljacqu]

Oh, cool, you rock!
I wonder what the salt does—seems like the hash is enough to validate the password. In your config, could you please try:

    passwordHash: BCRYPT

maybe you also need to set

  bCryptLog2Round: 13

so that the hashes generated by AuthMe also follow the $2a$13$ format, but I would assume that it works with any number.
It's possible that players who register with AuthMe won't be able to log into the forum since the BCRYPT hash won't store this additional salt column. However, I have no idea how it comes into play.

[ljacqu]

Thanks for the info. In that case we'll need to take a closer look at it. Note that it generating a different hash doesn't necessarily mean it's wrong, but of course since the forum doesn't accept it, something is wrong.

[sgdc3]

@Feerko Why me? @ljacqu is the one you need to thanks ;)

[ljacqu]

I'm afraid I already have a lot of things in AuthMe to take care of so I won't have time to look at this in greater detail. Maybe someone else from the dev team can.

[Maddeningmorel]

Hi, I have the same problem. Is anyone working on fixing this?

[sgdc3]

@Feerko @Maddeningmorel We are all volunteers in the team, please be patient...

[sgdc3]

@DNx5 @games647 @ljacqu I can only bump this report..

[ljacqu]

@Feerko Money is not an incentive for me, but if you have the possibility to have a Skype session together sometime, we could kick some butt ;3
I speak German and French natively in case that would luckily coincide with your mother tongue

[ljacqu]

Thanks, that's already a great help. The real question is what this members_pass_salt column does. Do you know php? We need to find out where it's used in IPB.

[sgdc3]

@Xephi can you help us? ;)

[sgdc3]

@Xephi @Xephi @Xephi @Xephi @Xephi @Xephi @Xephi @Xephi @Xephi @Xephi @Xephi @Xephi @Xephi @Xephi @Xephi @Xephi @Xephi @Xephi @Xephi @Xephi @Xephi @Xephi @Xephi @Xephi

Sorry for the spam xD

[sgdc3]

Bump, any volunteer?
@Xephi @ljacqu @games647 @DNx5

[games647]

@sgdc3 Me!

It looks like IPB4 uses bcrypt but with a higher cost value.

[sgdc3]

@games647 Thanks ;)

[games647]

@Feerko Do you use AuthMe for registrations or logins?

EDIT: I used your table setup and the login in minecraft works for me.

[games647]

To login on to the forum is needed.

That's weird, because the salt is included in the bcrypt hash. It's the first 22 characters after the last $.

[games647]

@Feerko Does it work if you copy the salt into the salt column?

[ljacqu]

@Feerko: random guess, what if you add a "salt" (random text of same length as the others) into the column?
It wouldn't make sense to persist it but maybe IPB uses a second salt for some other purposes, like creating a safer cookie to signal to the server that the user is logged in (just putting the password hash has security implications, so it's a possibility they went that way)

[ljacqu]

If so, the implementation is easy: use BCrypt (with 13 as number of rounds?) + add behavior to persist a random string of fixed length to the column

[games647]

@ljacqu So maybe we should save the salt in the salt column although it's not needed.

[DNx5]

This looks like xenforo

/Users/feerko/Downloads/ips_d6298/system/Member/Member.php:
 2057   {
 2058       /* New password style introduced in IPS4 using Blowfish */
 2059:      if ( mb_strlen( $this->members_pass_salt ) === 22 )
 2060       {
 2061:          return crypt( $password, '$2a$13$' . $this->members_pass_salt );
 2062       }
 2063       /* Old encryption style using md5 */
 2064       else
 2065       {
 2066:          return md5( md5( $this->members_pass_salt ) . md5( \IPS\Request::legacyEscape( $password ) ) );
 2067       }
 2068   }

[ljacqu]

@Feerko IPB4 support has been implemented by @DNx5 and should work by setting passwordHash: IPB4 and mySQLColumnSalt: 'members_pass_hash' in your config. Could you please try it out with a recent development build? :) [build 755 or any blue build above]

[ljacqu]

Sad that we never got feedback from @Feerko, but I'm assuming that this can be closed.

[BulgarianHealer]

Hi, script is working with ipb 4, but there is one problem, script doesn't add default group and user can't log in forum. :) Default group is 3, collum is member_group_id

[ljacqu]

Hi @krokit, if you'd like to discuss about this could I ask you to create a new issue?