MySQL哈希列密码+脚本bash
[英]MySQL hashed column password+script bash
问题描述
I'd a little problem. 
我有点问题。
I'd created a MySQL table with the password column encrypted with SHA1. 我创建了一个MySQL表,其中的密码列已使用SHA1加密。
mysql> CREATE TABLE IF NOT EXISTS user_encrypted (
username varchar(50) COLLATE utf8_unicode_ci NOT NULL PRIMARY KEY DEFAULT 'username',
hashed_password varchar(50) COLLATE utf8_unicode_ci NOT NULL DEFAULT 'password',
user_mail varchar(64) COLLATE utf8_unicode_ci DEFAULT NULL DEFAULT 'your@email.com',
user_phone varchar(20) COLLATE utf8_unicode_ci DEFAULT NULL DEFAULT '+33 1 23 45 67 89',
user_online tinyint(1) NOT NULL DEFAULT '0',
user_enable tinyint(1) NOT NULL DEFAULT '1',
user_max_connection tinyint(1) NOT NULL DEFAULT '2',
user_start_date date NOT NULL DEFAULT '2015-05-01',
user_end_date date NOT NULL DEFAULT '0000-00-00',
KEY hashed_password (hashed_password)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
Result 结果
Query OK, 0 rows affected (0.01 sec)
I'd a script, which call the MySQL table : 我要编写一个脚本,该脚本调用MySQL表:
#!/bin/bash
. /etc/openvpn/script/config.sh
#New Encrypted_password
#username=$(mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -sN -e "select username from user_encrypted where username = '$username' AND hashed_password = '$password' AND user_enable=1 AND user_max_connection=2 AND user_start_date != user_end_date AND TO_DAYS(now()) >= TO_DAYS(user_start_date) AND (TO_DAYS(now()) <= TO_DAYS(user_end_date) OR user_end_date='0000-00-00')")
##Check user
[ "$username" != '' ] && [ "$username" = "$username" ] && echo "user : $username" && echo 'authentication ok.' && exit 0 || echo 'authentication failed.'; exit 1
The problem is, when I use the script, and OpenVPn ask me for user / password, I use Test and Test1234, but, the system refuse the password. 问题是,当我使用脚本并且OpenVPn要求我提供用户名/密码时,我使用Test和Test1234,但是系统拒绝密码。 It seems the 'non-encrypted" password can't be translated to encrypted password for checking if the password for the table is the same as i entered in the client OpenVPN. 似乎“非加密”密码无法转换为加密密码,无法检查该表的密码是否与我在客户端OpenVPN中输入的密码相同。
I don't know how to do, in my script bash for the password I enter is "converted" to encrypted password for checking with the database... 我不知道该怎么办,在我输入的密码的脚本bash中,“转换”为加密的密码,以便与数据库进行检查...
Rhank you 谢谢你
1 个解决方案
解决方案1
0 2015-08-29 19:57:00
Your bash script doesn't hash the password. 您的bash脚本不会对密码进行哈希处理。 Hence, you're comparing the password with a hash of the password. 因此,您正在将密码与密码的哈希值进行比较。
You say it's a SHA1 hash, which conveniently exists as a built-in function in MySQL . 您说这是SHA1哈希, 在MySQL中很方便地作为内置函数存在。 Changing 更改
where username = '$username' AND hashed_password = '$password' ...
into 成
where username = '$username' AND hashed_password = SHA1('$password') ...
should fix your immediate problem. 应该解决您的直接问题。
I want to bring up two other problems with your code -- these are unfortunately pretty common mistakes: 我想在您的代码中提出另外两个问题-不幸的是,这是很常见的错误:
- It appears you are not using a salt for the password hash. 看来您没有使用盐作为密码哈希。 You should -- it would make it significantly harder for attackers to figure out your password from the hash. 您应该-它将使攻击者更难从哈希中找出您的密码。 Please read this . 请阅读此 。
- Your login script is vulnerable to SQL injection. 您的登录脚本容易受到SQL注入的攻击。 What if an attacker puts a string like
admin'; SELECT * FROM user_encrypted WHERE 0 AND '如果攻击者输入admin'; SELECT * FROM user_encrypted WHERE 0 AND '这样的字符串怎么办?admin'; SELECT * FROM user_encrypted WHERE 0 AND '(or something to that effect) as a username?admin'; SELECT * FROM user_encrypted WHERE 0 AND '(或类似的意思)作为用户名? Please read this .请阅读此 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.