Hey @quantumco,
I may be able to help you with this.
Could you please create a new user with the password “password” and share with me the hash that is generated so that I can experiment?
Thanks,
Tom 🙂
Hey @tbenyon
Thank you for your help 🙂
here the generated hash for the password “password”
{SSHA256}JVCmnFjLqYvJJLPKfhG7a6KFaa6JmrEeg8mhTkYqWIljOGMzZmE1OTlhNjE0NzY5
Thanks,
Kevin
Hey Kevin,
Spent some time looking into this for you and unfortunately, it isn’t very clear what this is doing.
I’ve tried to Google around and found a few results like this one that imply this is the process that Mailcow use:
1) Getting the above and removing {SSHA256}.
2) base 64 decoding the rest
3) Splitting the resulting string in half
4) The second half would be the salt and the first half would be a SHA256 hash of the password and the salt
5) At this point we can validate the password to see if that starting hash is equal to the password entered + the salt and the sha(256) hashed.
Unfortunately it doesn’t seem right and step two is where things break down as JVCmnFjLqYvJJLPKfhG7a6KFaa6JmrEeg8mhTkYqWIljOGMzZmE1OTlhNjE0NzY5 isn’t a valid base 64 encoded string.
Unfortunately at this point I think you’re going to have to either contact Mailcow for support or go through the code yourself (or pay a developer to do it) to see how the hashes are actually being generated.
If you can find this out I’m happy to try and help you further.
Thanks,
Tom 🙂
-
This reply was modified 5 years, 5 months ago by
tbenyon.
Thank you for your research
I also use a Nextcloud Server, there is a plugin calld “User and Group SQL Backends”.
This plugin has a SSHA256 Hash algorithm.
With that i use my mailcow DB for Nextcloud userautantication.
This works.
Maybe there is an Infoemarion that will be useful.
https://github.com/nextcloud/user_sql
In the settings of the plugin I left the salt field empty.
I only picked the Hash algorithm type ssha256
of course i disabled Password change 😉
Thank you very much for your help and sorry for my bad English 🙂
-
This reply was modified 5 years, 5 months ago by
quantumco.
Hey @quantumco,
Firstly, your English is incredible! Everything you’ve written has been exceptionally clear. 🙂
So I’ve had a look at that plugin for you and I can see how the hash is being used in lib/Crypto/SSHA.php:
public function checkPassword($password, $dbHash, $salt = null)
{
$saltedPassword = base64_decode(
preg_replace("/" . $this->getPrefix() . "/i", "", $dbHash)
);
$salt = substr($saltedPassword, -(strlen($saltedPassword) - $this->getHashLength()));
$hash = self::ssha($password, $salt);
return hash_equals($dbHash, $hash);
}
As this is a unique solution I will not be adding it directly to the plugin. However, I am going to try and go out of my way and write you the code for the hook that will integrate with the plugin.
If I succeed, I’d be grateful if you could write a review or even buy me a beer.
Will try and get back to you soon . . .
🙂
Bad news – after reading that example through more thoroughly it is actually doing the same thing I tried in the first place.
This still doesn’t make sense as the hash you have provided does not appear to be base64 encoded string. (JVCmnFjLqYvJJLPKfhG7a6KFaa6JmrEeg8mhTkYqWIljOGMzZmE1OTlhNjE0NzY5)
I’m either missing something but from looking at the file I mentioned earlier, and reading the hash generator solution the string above should be a base 64 encoded string but it is not.
I’m starting to think that this isn’t what is hashing your passwords. I don’t know what to suggest next I’m afraid.
Sorry to bombard you but I had one final punt at this and I would expect the following to display a deconding with valid characters and it doesn’t.
<?php
$prefix = "{SSHA256}";
$dbHash = '{SSHA256}JVCmnFjLqYvJJLPKfhG7a6KFaa6JmrEeg8mhTkYqWIljOGMzZmE1OTlhNjE0NzY5';
echo base64_decode(
preg_replace("/" . $prefix . "/i", "", $dbHash)
);
You can copy and paste the code and try it yourself but this is the output I’m getting:
%P��X˩��$��~�k��i�����ɡNF*X�c8c3fa599a614769
I haven’t heard back from you so I’m going to mark this as resolved.
If you have any questions in the meantime, please don’t hesitate to get back in contact.
Kind regards,
Tom 🙂
