Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt Monday at 02:04 PM
emilhem Posted January 15, 2016 Posted January 15, 2016 When upgrading IPS removes custom MySQL changes to tables. We have changed the password field to take more characters since we can't support Blowfish and use SHA512 instead. Is there a way to edit the file that checks and modifies the tables? Where is this file located?
Marcher Technologies Posted January 15, 2016 Posted January 15, 2016 1 hour ago, emilhem said: When upgrading IPS removes custom MySQL changes to tables. We have changed the password field to take more characters since we can't support Blowfish and use SHA512 instead. Is there a way to edit the file that checks and modifies the tables? Where is this file located? Why in the world would you utilize a less secure password hashing algorithm when the only requirement to use blowfish is already met by using the minimum required version of PHP for the suite?
Management Lindy Posted January 16, 2016 Management Posted January 16, 2016 Can't help you with this beyond "don't do that." Sorry.
emilhem Posted January 16, 2016 Author Posted January 16, 2016 *really big sigh*. If you know anything about Debian and Ubuntu (I know I didn't mention it in the above post) you know that it can be pretty hard to get a working copy of the binaries in a .deb file to allow blowfish algorithms in software other than PHP. We need the passwords a little bit more unsafe (SHA512 x 5000 ($6$rounds=5000$)) since SHA512 is much more widely available.
Management Lindy Posted January 16, 2016 Management Posted January 16, 2016 I'm really confused by what you're trying to do. PHP 5.3+ should be a non-issue with blowfish, regardless of what OS you use. You mentioned "other than PHP" which leads me to believe you're trying to access encrypted data directly from the database, outside of IPS4. Again -- "don't do that." The software has extensible APIs and the ability for custom login handlers, SSO, etc. Perhaps if you could explain exactly what you're doing, we can further help. You're not going to get very far with modifying the database. 1) It's a bad idea. 2) We introduced self-healing features because of support overhead involved with people thinking this is a good idea. 3) There's likely a much better solution. 4) It's a bad idea.
emilhem Posted January 16, 2016 Author Posted January 16, 2016 The software that we're trying to use with the IPS passwords is Dovecot. Dovecot only supports the following password schemes on our server: CRYPT MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA SHA256-CRYPT SHA512-CRYPT As such if we will continue to use IPS integrated login system then we need to use something from the list above. We are looking into other solutions but for now were stuck with SHA512. Are there any good articles about moving from IPS integrated login to LDAP? Dovecot supports LDAP
Recommended Posts
Archived
This topic is now archived and is closed to further replies.