rakhbari wrote:Where does this auth hex-value in the zms URL come from?
Can I invoke some command that gets me the auth param value that I can use in subsequent calls to zms/nph-zms?
I did a bit of research into this and finally figured out how to construct this auth param in the zms URL. Since no one else replied to this post I thought I'd share it:
The auth param in the zms URL is a MD5 hash of a string that's a concatenation of the following pieces of data:
Code: Select all
<username><password_hash><time[2]><time[3]><time[4]><time[5]>
username = self-explanatory, ie: admin
password_hash = The output of the MySQL password() function as is stored in the zm DB Users table. For example, "admin" passed through the password() function equals "*AB5E5865B02289309E1E7A36618B30D40E989F68".
time[x] = These are specific pieces of the array element that's returned when you make a call to PHP function localtime(). To get full info on localtime() and all other PHP date/time functions go here:
http://us2.php.net/manual/en/function.localtime.php. The array breaks down as follows:
time[0] - seconds
time[1] - minutes
time[2] - hour
time[3] - day of the month
time[4] - month of year (0-based, ie: 7 = August)
time[5] - Years since 1900 (107 is 2007, meaning 1900 + 107)
time[6] - day of the week
time[7] - day of the year
time[8] - whether or not daylight savings time in effect
So for example, if you wanted to produce the auth param for username "admin", password "admin", with localtime of Auguest 2nd, 2007, 4:22 PM, the auth_key (concatenated string) would look like this:
Code: Select all
admin*AB5E5865B02289309E1E7A36618B30D40E989F681627107
Then you MD5 the above string and end up with:
Obviously, by design, this auth param is only good temporarily since in includes temporal components (hour, day, month, year). It can be used in the zms URL or as the "-A" param of the zmu command line.
If anyone is trying to produce this auth param in Java, here's a piece of code that'll do that:
Code: Select all
import java.util.Calendar;
import java.util.Date;
import java.util.GregorianCalendar;
import org.apache.commons.codec.digest.DigestUtils;
public String getZoneMinderAuthHash ()
{
StringBuffer authKey = new StringBuffer ("admin");
String authHash = null;
String adminPwHash = zmDao.getAdminUserPassword ();
authKey.append (adminPwHash);
Calendar cal = new GregorianCalendar ();
cal.setTime (new Date ());
int hourOfDay = cal.get (Calendar.HOUR_OF_DAY);
int dayOfMonth = cal.get (Calendar.DAY_OF_MONTH);
int monthOfYear = cal.get (Calendar.MONTH);
int yearsSince1900 = cal.get (Calendar.YEAR) - 1900;
authKey.append (hourOfDay);
authKey.append (dayOfMonth);
authKey.append (monthOfYear);
authKey.append (yearsSince1900);
authHash = DigestUtils.md5Hex (authKey.toString ());
return authHash;
}
Of course the above code isn't the complete class, just a method and the imports you need for a class you'd create yourself. There's also one external dependency and that's for you to write a DAO (Data Access Object) that connects to the zm DB and returns the actual string that the MySQL password() function produces. I wasn't able to easily figure out what the hell that sucker does so it was just easier to reach into the DB and grab it. Or I could've just made a similar call to a piece of SQL such as:
Code: Select all
SELECT password(passed-in-password);
Well, I hope this helped somebody.
Cheers,
Ramin
