CMDBuild Forum

password hash method

Old Versions
#1

Could anyone inform me on the password hashing method is employed by cmdbuild? I ran it through my trusty Hash identifier (http://code.google.com/p/hash-identifier/) But it did not detect the hashing method.

Would be great for automating my installation. Thanks

#2

The passwords are stored in the database with encryption

Base64

CMDBuild Team

#3

well i tried that serveral times, because the string did look a lot like a base64 encoded string. However i did not get any results from that

 

root@pde-linux-fw2:~# echo admin | base64

YWRtaW4K

root@pde-linux-fw2:~# echo admin:admin | base64

YWRtaW46YWRtaW4K

root@pde-linux-fw2:~# echo DQdKW32Mlms= | base64 --decode

J[}▒▒kroot@pde-linux-fw2:~#

 

No match so far. At least not the match i wanted :)

#4
You can look directly at the source code, here:
 
https://bitbucket.org/tecnoteca/cmdbuild/src/58e44e8434257bddbf8e704497c7b51ae9b40c15/cmdbuild-commons/src/main/java/org/cmdbuild/common/digest/Base64Digester.java?at=2.1.8
 
Best regards.
 
-- CMDBuild Team
 
Previously patrick wrote:

well i tried that serveral times, because the string did look a lot like a base64 encoded string. However i did not get any results from that

 

root@pde-linux-fw2:~# echo admin | base64

YWRtaW4K

root@pde-linux-fw2:~# echo admin:admin | base64

YWRtaW46YWRtaW4K

root@pde-linux-fw2:~# echo DQdKW32Mlms= | base64 --decode

J[}▒▒kroot@pde-linux-fw2:~#

 

No match so far. At least not the match i wanted :)

 

#5

...and if it helps anyone - it looks the code gets the bytes from the string and then acts on that. So a simple (linux) command like echo -en 'encrypted_password_from_db' | base64.exe -d will not work.

 

My java is rusty, but it looks like the class takes the string from the database, converts it into a byte array and then (crucially) decrypts THAT using Java cipher classes implementing PBEWithMD5AndDES.

 

To cut a long story short - assuming you actually have access to the underlying postgres database and can get the password strings from the user table. It is relatively easy to spin up eclipse (or whatever you favour), create a new main class to define what you want to decrypt, add an interface from

commons/src/main/java/org/cmdbuild/common/digest/Digester.java

 

and add the class

 

commons/src/main/java/org/cmdbuild/common/digest/Base64Digester.java

 

I had to edit things a bit in order to get it to run (remove loggesrs and "Guarded by bits" - but I got it to work. Here is what I used as a class (remember it is in the same directory as Base64Digester etc):

 

public class Blabla{

 

    public static void main(String[] args) {

        // TODO Auto-generated method stub

       

 

 

       

        String encP = "encrStringFromDB";

       

            Base64Digester bd = new Base64Digester();

            System.out.println(bd.decrypt(encP));

         

    }

 

}

 

Hope that helps

 

Previously Tecnoteca wrote:
You can look directly at the source code, here:
 
https://bitbucket.org/tecnoteca/cmdbuild/src/58e44e8434257bddbf8e704497c7b51ae9b40c15/cmdbuild-commons/src/main/java/org/cmdbuild/common/digest/Base64Digester.java?at=2.1.8
 
Best regards.
 
-- CMDBuild Team
 
Previously patrick wrote:

well i tried that serveral times, because the string did look a lot like a base64 encoded string. However i did not get any results from that

 

root@pde-linux-fw2:~# echo admin | base64

YWRtaW4K

root@pde-linux-fw2:~# echo admin:admin | base64

YWRtaW46YWRtaW4K

root@pde-linux-fw2:~# echo DQdKW32Mlms= | base64 --decode

J[}▒▒kroot@pde-linux-fw2:~#

 

No match so far. At least not the match i wanted :)