在drupal中向用户密码添加用户特定的盐
[英]Adding user specific salt to user passwords in drupal
问题描述
I am migrating over a reasonably large asp site to drupal. 
我正在通过一个相当大的ASP网站迁移到Drupal。 I have managed to migrate over most of the content now I am having a little trouble with migrating over the users. 我已经设法迁移了大部分内容,现在在迁移用户方面遇到了一些麻烦。
In the ASP site each member has a password and a salt column, when logging in their their provided password is appended with the salt and sha1 encrypted and then compared against the db password. 在ASP站点中,每个成员都有一个密码和一个salt列,在登录时,将其提供的密码附加有salt和sha1加密后附加,然后与db密码进行比较。
How do i implement this in drupal 6? 我如何在drupal 6中实现呢? Drupal 6 doesnt have salt by default. Drupal 6默认情况下不加盐。 I found a drupal salt module but its incredibly simplistic and only stores a sitewide salt value. 我找到了一个drupal盐模块,但是它极其简单,仅存储整个站点的盐值。
Do I need to add a salt column to the user table and add some custom logic to the drupal6 login function? 我是否需要在用户表中添加一个salt列,并向drupal6登录功能添加一些自定义逻辑? I realise this is somewhat bad practice in that upgrading the application to a later version of drupal could be problematic. 我意识到这有点不好,因为将应用程序升级到更高版本的drupal可能会有问题。 But we are using a bunch of drupal 6 specific modules anyways so I feel that upgrading to drupal 7 will be a nightmare regardless. 但是我们还是使用了大量的drupal 6特定模块,所以我觉得升级到drupal 7将是一场噩梦。 Has anyone had this problem before? 有人遇到过这个问题吗? What is the easiest (damn fixed rate web jobs :) good way to get around it? 绕过它的最简单的方法是什么?
Basically I have a users table in an ASP app that include the following columns: 基本上,我在ASP应用程序中有一个users表,其中包括以下几列:
Name | 姓名| Password_hash | 密码哈希| Salt | 盐| etc 等等
I need some way to migrate this into Drupal. 我需要一些方法将其迁移到Drupal中。
2 个解决方案
解决方案1
2 2013-02-20 00:58:28
I'm not sure how this worked in Drupal 6, but Drupal 7 implements the salt used when comparing to the db password is in the compared string. 我不确定这在Drupal 6中是如何工作的,但是Drupal 7实现了在比较字符串中与db密码进行比较时使用的盐。 When looking at _password_crypt() in password.inc, the $salt is defined as 在password.inc中查看_password_crypt()时,$ salt定义为
$salt = substr($setting,4,8);
Where the $setting variable is the first 12 characters of the db password. 其中$ setting变量是数据库密码的前12个字符。 The salt if then prepended to the $password. 如果加盐,则加在$ password之前。
$hash = hash($algo, $salt . $password);
It is important to take into account that this hashing is done many times, as to increment notably the security. 重要的是要考虑到此哈希处理已完成多次,以显着提高安全性。 In order to know how many times it is hashed, the second character of the db password (it actually is between to $ signs) is used to know the number of repetitions taken. 为了知道它被哈希了多少次,db密码的第二个字符(实际上是在$符号之间)被用来知道重复的次数。 This character is compared to a string called itoa64 , so the position of this char is the log2 number of repetitions. 将此字符与名为itoa64的字符串进行比较 ,因此此char的位置是log2的重复次数。
$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
What I mean by log2 number of repetitions is that the actual number will be 2 to the power of that number. 我所说的log2重复次数是实际次数为该次数的幂的2。 So, having into account the first number is between 7 and 30, the number of repetitions is between 128 and 1 073 741 824. 因此,考虑到第一个数字在7到30之间,重复次数在128到1 073 741 824之间。
Finally, the encrypted password is encoded in base64, checked (compare its length before and after the encoding) and returned to be compared by the user_check_password or used by user_hash_password for storage with a random hash generated with _password_generate_salt() . 最后,加密的密码在base64中进行编码,检查(比较编码前后的长度),并返回以供user_check_password比较,或由user_hash_password用于与_password_generate_salt()生成的随机哈希一起_password_generate_salt() 。
解决方案2
1 已采纳 2011-08-19 16:20:59
I would highly suggest the Password module 1.0 branch for this purpose. 我强烈建议为此目的使用密码模块 1.0分支。 It provides you with the ability to provide your own custom password.inc file to determine how passwords should be hashed and checked. 它使您能够提供自己的自定义password.inc文件,以确定应如何哈希和检查密码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.