Support » Plugin: External Login » ssha256

  • Resolved quantumco

    (@quantumco)


    I like to use Mailcow as a user Database.
    The Mysql server from Mailcow uses SSHA256.
    Is it possible to add SSHA256 as a Hash Type ?

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author tbenyon

    (@tbenyon)

    Hey @quantumco,

    I may be able to help you with this.

    Could you please create a new user with the password “password” and share with me the hash that is generated so that I can experiment?

    Thanks,

    Tom 🙂

    Thread Starter quantumco

    (@quantumco)

    Hey @tbenyon

    Thank you for your help 🙂

    here the generated hash for the password “password”

    {SSHA256}JVCmnFjLqYvJJLPKfhG7a6KFaa6JmrEeg8mhTkYqWIljOGMzZmE1OTlhNjE0NzY5

    Thanks,

    Kevin

    Plugin Author tbenyon

    (@tbenyon)

    Hey Kevin,

    Spent some time looking into this for you and unfortunately, it isn’t very clear what this is doing.

    I’ve tried to Google around and found a few results like this one that imply this is the process that Mailcow use:

    1) Getting the above and removing {SSHA256}.
    2) base 64 decoding the rest
    3) Splitting the resulting string in half
    4) The second half would be the salt and the first half would be a SHA256 hash of the password and the salt
    5) At this point we can validate the password to see if that starting hash is equal to the password entered + the salt and the sha(256) hashed.

    Unfortunately it doesn’t seem right and step two is where things break down as JVCmnFjLqYvJJLPKfhG7a6KFaa6JmrEeg8mhTkYqWIljOGMzZmE1OTlhNjE0NzY5 isn’t a valid base 64 encoded string.

    Unfortunately at this point I think you’re going to have to either contact Mailcow for support or go through the code yourself (or pay a developer to do it) to see how the hashes are actually being generated.

    If you can find this out I’m happy to try and help you further.

    Thanks,

    Tom 🙂

    • This reply was modified 4 months, 4 weeks ago by tbenyon.
    Thread Starter quantumco

    (@quantumco)

    Thank you for your research

    I also use a Nextcloud Server, there is a plugin calld “User and Group SQL Backends”.
    This plugin has a SSHA256 Hash algorithm.
    With that i use my mailcow DB for Nextcloud userautantication.
    This works.
    Maybe there is an Infoemarion that will be useful.
    https://github.com/nextcloud/user_sql

    In the settings of the plugin I left the salt field empty.
    I only picked the Hash algorithm type ssha256

    of course i disabled Password change 😉

    Thank you very much for your help and sorry for my bad English 🙂

    • This reply was modified 4 months, 4 weeks ago by quantumco.
    Plugin Author tbenyon

    (@tbenyon)

    Hey @quantumco,

    Firstly, your English is incredible! Everything you’ve written has been exceptionally clear. 🙂

    So I’ve had a look at that plugin for you and I can see how the hash is being used in lib/Crypto/SSHA.php:

    
        public function checkPassword($password, $dbHash, $salt = null)
        {
            $saltedPassword = base64_decode(
                preg_replace("/" . $this->getPrefix() . "/i", "", $dbHash)
            );
            $salt = substr($saltedPassword, -(strlen($saltedPassword) - $this->getHashLength()));
            $hash = self::ssha($password, $salt);
    
            return hash_equals($dbHash, $hash);
        }
    

    As this is a unique solution I will not be adding it directly to the plugin. However, I am going to try and go out of my way and write you the code for the hook that will integrate with the plugin.

    If I succeed, I’d be grateful if you could write a review or even buy me a beer.

    Will try and get back to you soon . . .

    🙂

    Plugin Author tbenyon

    (@tbenyon)

    Bad news – after reading that example through more thoroughly it is actually doing the same thing I tried in the first place.

    This still doesn’t make sense as the hash you have provided does not appear to be base64 encoded string. (JVCmnFjLqYvJJLPKfhG7a6KFaa6JmrEeg8mhTkYqWIljOGMzZmE1OTlhNjE0NzY5)

    I’m either missing something but from looking at the file I mentioned earlier, and reading the hash generator solution the string above should be a base 64 encoded string but it is not.

    I’m starting to think that this isn’t what is hashing your passwords. I don’t know what to suggest next I’m afraid.

    Plugin Author tbenyon

    (@tbenyon)

    Sorry to bombard you but I had one final punt at this and I would expect the following to display a deconding with valid characters and it doesn’t.

    
    <?php
    $prefix = "{SSHA256}";
    
    $dbHash = '{SSHA256}JVCmnFjLqYvJJLPKfhG7a6KFaa6JmrEeg8mhTkYqWIljOGMzZmE1OTlhNjE0NzY5';
    
    echo base64_decode(
                preg_replace("/" . $prefix . "/i", "", $dbHash)
            );
    

    You can copy and paste the code and try it yourself but this is the output I’m getting:
    %P��X˩��$��~�k��i�����ɡNF*X�c8c3fa599a614769

    Plugin Author tbenyon

    (@tbenyon)

    I haven’t heard back from you so I’m going to mark this as resolved.

    If you have any questions in the meantime, please don’t hesitate to get back in contact.

    Kind regards,

    Tom 🙂

Viewing 8 replies - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.