Also, the passwords from the external database are generated as explained here: https://solero.github.io/password. Thanks again!
-
This reply was modified 6 years, 2 months ago by
Julian45123.
Hey @julian45123,
Apologies for the delayed response. It’s been a busy week.
From looking at this the example you sent the solution is incredibly custom and uses an md5 hash as it’s core (not bcrypt).
When it ‘encrypts’ the password it is definitely doing it in a custom way. It appears to be hashing the typed in password then storing the a jumble of the hash where the second set of 16 characters are placed on the front and the first set at the back. It then uses a salt and a static key which is being used like a second salt.
You can still make this work with the plugin using a hook.
If you go to the FAQ and look at the exlog_hook_filter_authenticate_hash hook thereβs some instruction in there about how to write your custom hashing algorithm.
Essentially you’ll have to replicate the logic that your custom setup uses to return true or false in the hook.
Hey @tbenyon,
Thanks for your answers. I’ve developed this code:
function myExlogHashAuthenticator($password, $hashFromDatabase, $username, $externalUserData) {
$hashedPassword = strtoupper(md5($password));
$staticKey = 'houdini';
$flashClientHash = getLoginHash($hashedPassword, $staticKey);
$datbasePassword = password_hash($flashClientHash, PASSWORD_DEFAULT, [ 'cost' => 12 ]);
echo "\n\r\n\r -> " . $datbasePassword . " <- \n\r\n\r";
$password = md5($password);
$hash = substr($password, 16, 16) . substr($password, 0, 16);
$hash = encryptPassword($password, false);
$hash .= $staticKey;
$hash .= 'Y(02.>\'H}t":E1';
$hash = encryptPassword($hash);
return $hash == $hashFromDatabase;
}
add_filter('exlog_hook_filter_authenticate_hash', 'myExlogHashAuthenticator', 10, 4);
I’ve placed the code in my theme’s functions.php and it says invalid username and password. Can you help me? Do you see any error on the code?
Thanks again,
Julian.
-
This reply was modified 6 years, 1 month ago by Julian45123.
Hey Julian,
Looks like you’ve made a good start.
I’ve added in some suggested error logs to help you and also put a couple of comments in place that may help you debug. The comments are regarding:
-
There’s 2 or 3 functions that you’re using that I’m not sure if they do or don’t exist on this server.
-
At one point you store some data in a variable $hash, never use it then write straight back over the top of it.
Here’s the code with comments and logs:
function myExlogHashAuthenticator($password, $hashFromDatabase, $username, $externalUserData) {
error_log('EXLOG START >>>>>>>>>>>>>>>>>>>');
$hashedPassword = strtoupper(md5($password));
$staticKey = 'houdini';
error_log('EXLOG hashed PW');
error_log(var_export($hashedPassword, true));
// Does this function exist in your wordpress install???
$flashClientHash = getLoginHash($hashedPassword, $staticKey);
error_log('EXLOG FLASH');
error_log(var_export($flashClientHash, true));
$datbasePassword = password_hash($flashClientHash, PASSWORD_DEFAULT, [ 'cost' => 12 ]);
error_log('EXLOG $datbasePassword');
error_log(var_export($datbasePassword, true));
$password = md5($password);
error_log('EXLOG password md5');
error_log(var_export($password, true));
// YOU DON'T SEEM TO USE THIS DATA ANYWHERE AS YOU CHANCE IT's VALUE BELOW???
$hash = substr($password, 16, 16) . substr($password, 0, 16);
// Does this function exist in your wordpress install???
$hash = encryptPassword($password, false);
$hash .= $staticKey;
$hash .= 'Y(02.>\'H}t":E1';
$hash = encryptPassword($hash);
error_log('EXLOG Comparison Values?');
error_log(var_export($hash, true));
error_log(var_export($hashFromDatabase, true));
error_log('EXLOG VALID PASSWORD?');
error_log(var_export($hash == $hashFromDatabase, true));
error_log('EXLOG END >>>>>>>>>>>>>>>>>>>');
return $hash == $hashFromDatabase;
}
add_filter('exlog_hook_filter_authenticate_hash', 'myExlogHashAuthenticator', 10, 4);
Have a look at your error logs and then you can check to make sure your hook is running, and see what is happening at each stage so you can see what doesn’t match up with what is happening on your other server.
Let me know how you get on π
Thanks,
Tom
Hi again,
Thanks your keep helping me! I checked error.log and I have this code:`
2020/04/18 16:19:33 [error] 27699#27699: *5903 FastCGI sent in stderr: "PHP message: PHP Notice: Undefined index: role in /var/www/community/wp-content/plugins/external-login/login/authenticate.php on line 13
PHP message: PHP Notice: Undefined index: exlog_authenticated in /var/www/community/wp-content/plugins/external-login/login/authenticate.php on line 30
PHP message: PHP Warning: pg_query(): No PostgreSQL link opened yet in /var/www/community/wp-content/pg4wp/driver_pgsql.php on line 139
PHP message: PHP Warning: pg_last_error(): No PostgreSQL link opened yet in /var/www/community/wp-content/pg4wp/driver_pgsql.php on line 140
PHP message: PHP Warning: pg_last_error(): No PostgreSQL link opened yet in /var/www/community/wp-content/pg4wp/driver_pgsql.php on line 55" while reading response header from upstream, client: IP, server: MYWORDPRESSLINK, request: "POST /wp-login.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.2-fpm.sock:", host: "MYWPLINK", referrer: "WPLINK/wp-login.php"
2020/04/18 16:19:33 [error] 27699#27699: *5903 FastCGI sent in stderr: "PHP message: PHP Warning: pg_query(): No PostgreSQL link opened yet in /var/www/community/wp-content/pg4wp/driver_pgsql.php on line 139
Do you know what could be? Also, how do I check that the hook is on and working?
Thanks.
I also updated the code to this:
function myExlogHashAuthenticator($password, $hashFromDatabase, $username, $externalUserData) {
$hashedPassword = strtoupper(md5($password));
$staticKey = 'houdini';
$flashClientHash = getLoginHash($hashedPassword, $staticKey);
$datbasePassword = password_hash($flashClientHash, PASSWORD_DEFAULT, [ 'cost' => 12 ]);
echo "\n\r\n\r -> " . $datbasePassword . " <- \n\r\n\r";
function encryptPassword($password, $md5 = true) {
if($md5 !== false) {
$password = md5($password);
}
$hash = substr($password, 16, 16) . substr($password, 0, 16);
return $hash;
}
function getLoginHash($password, $staticKey) {
$hash = encryptPassword($password, false);
$hash .= $staticKey;
$hash .= 'Y(02.>\'H}t":E1';
$hash = encryptPassword($hash);
return $hash == $hashFromDatabase;
}
}
add_filter('exlog_hook_filter_authenticate_hash', 'myExlogHashAuthenticator', 10, 4);
But still doesn’t work.
The following line tells us the plugin is running. It is only a warning (that I’m aware of) but will not break anything.
PHP message: PHP Notice: Undefined index: exlog_authenticated in /var/www/community/wp-content/plugins/external-login/login/authenticate.php on line 30
The following line is probably an issue because it is throwing an error.
2020/04/18 16:19:33 [error] 27699#27699: *5903 FastCGI sent in stderr: "PHP message: PHP Warning: pg_query(): No PostgreSQL link opened yet in /var/www/community/wp-content/pg4wp/driver_pgsql.php on line 139
This is not to do with the plugin as far as I’m aware as it is in /var/www/community/wp-content/pg4wp/driver_pgsql.php.
The fact that you didn’t see any of the other logs I suggested you add makes me thing that the plugin failed to authenticate the user but the hook may not be running.
Add an addition error_log at the start of your functions.php file and see if you can see that in these logs when you log in.
You could also add another one at the start of the plugin file if that is showing.
Let me know how you get on π
My code right now is like that:
function myExlogHashAuthenticator($password, $hashFromDatabase, $username, $externalUserData) {
error_log('EXLOG Empieza el hook');
$hashedPassword = strtoupper(md5($password));
$staticKey = 'houdini';
error_log('EXLOG Hashed pwd');
error_log(var_export($hashedPassword, true));
$flashClientHash = getLoginHash($hashedPassword, $staticKey);
error_log('EXLOG FLASH');
error_log(var_export($flashClientHash, true));
$datbasePassword = password_hash($flashClientHash, PASSWORD_DEFAULT, [ 'cost' => 12 ]);
error_log('EXLOG $datbasePassword');
error_log(var_export($datbasePassword, true));
echo "\n\r\n\r -> " . $datbasePassword . " <- \n\r\n\r";
function encryptPassword($password, $md5 = true) {
if($md5 !== false) {
$password = md5($password);
}
$hash = substr($password, 16, 16) . substr($password, 0, 16);
return $hash;
}
error_log('EXLOG password md5');
error_log(var_export($password, true));
function getLoginHash($password, $staticKey) {
$hash = encryptPassword($password, false);
$hash .= $staticKey;
$hash .= 'Y(02.>\'H}t":E1';
$hash = encryptPassword($hash);
return $hash;
}
error_log('EXLOG Comparison Values?');
error_log(var_export($hash, true));
error_log(var_export($hashFromDatabase, true));
error_log('EXLOG VALID PASSWORD?');
error_log(var_export($hash == $hashFromDatabase, true));
error_log('EXLOG END >>>>>>>>>>>>>>>>>>>');
return $hash == $hashFromDatabase;
}
add_filter('exlog_hook_filter_authenticate_hash', 'myExlogHashAuthenticator', 10, 4);
This error logs are supposed to appear wp-content/debug.log or in any other file? This is the debug options I have in wp_config.php:
define( 'WP_DEBUG', true );
define( 'WP_DEBUG_LOG', true );
define( 'WP_DEBUG_DISPLAY', false );
@ini_set( 'display_errors', 0 );
Thanks for your help.
There are lots of variables that can make these errors show. They’ll be stored in different places in different standard setups. I’m afraid this is something you’ll have to Google and play around with.
Haven’t heard back from you for a while so I’m going to assume this is resolved.
If not, don’t hesitate to get back in contact and we’ll see what we can do π
Thanks,
Tom π
