Page 1 of 1
How to create hash value?
Posted: Sun Jul 08, 2012 8:00 pm
by DrBrain
Hello,
I'd like to use the zmu utility using an authentication hash instead of passing cleartext username/pass. Can you please let me know what kind of information the hash value should contain and which hash algorithm it's being used?
Thanks!
Re: How to create hash value?
Posted: Tue Jul 10, 2012 8:42 pm
by usersenior
Code: Select all
function getAuthUser( $auth )
{
if ( ZM_OPT_USE_AUTH && ZM_AUTH_RELAY == "hashed" && !empty($auth) )
{
$remoteAddr = "";
if ( ZM_AUTH_HASH_IPS )
{
$remoteAddr = $_SERVER['REMOTE_ADDR'];
if ( !$remoteAddr )
{
Error( "Can't determine remote address for authentication, using empty string" );
$remoteAddr = "";
}
}
$sql = "select Username, Password, Enabled, Stream+0, Events+0, Control+0, Monitors+0, System+0, MonitorIds from Users where Enabled = 1";
/* Create hash*/
foreach ( dbFetchAll( $sql ) as $user )
{
$now = time();
for ( $i = 0; $i < 2; $i++, $now -= (60*60) ) // Try for last two hours
{
$time = localtime( $now );
$authKey = ZM_AUTH_HASH_SECRET.$user['Username'].$user['Password'].$remoteAddr.$time[2].$time[3].$time[4].$time[5];
$authHash = md5( $authKey );
if ( $auth == $authHash )
{
return( $user );
}
}
}
}
Error( "Unable to authenticate user from auth hash '$auth'" );
return( false );
}
Re: How to create hash value?
Posted: Tue Jul 10, 2012 9:06 pm
by DrBrain
Thanks for the reference.
If I interpret the source right, for my hash to be valid it should have been generated in the last 2 hours? So ZM's password hashing is not a plain "get plaintext, add salt, md5-it, store the hash in the db"-like algorithm?
Thanks!
Re: How to create hash value?
Posted: Wed Jul 11, 2012 1:43 am
by usersenior
yes, but the hash don't is stored in db, this is send with that url .
e.g
zonminder/cgi-bin/nph-zms?mode=jpeg&monitor=18&scale=100&maxfps=5&buffer=1000&auth=bfd2cef9356b78d996781c5956c5f705&connkey=30037&rand=1341922224
Re: How to create hash value?
Posted: Wed Jul 11, 2012 6:28 am
by DrBrain
Ok, I see.
This may be a little bit of a problem in my case then. I understand ZM's intention is that clear text password is not transmitted as such via HTTP, however my requirement in this case is that I do not even store the password anywhere at all. Obviously, to be able to generate the hash every two hours mean I do have to store the password of the user somewhere in the system originating the call to 'zmu'.
Thanks.
Re: How to create hash value?
Posted: Wed Jul 11, 2012 9:03 am
by Paranoid
Its been quite a while since I've done anything with md5 but if I recall correctly text is processed in 64 byte chunks.
This means that if you can arrange for ZM_AUTH_HASH_SECRET.$user['Username'].$user['Password'] to be a multiple of 64 bytes then you can probably generate a hash without storing the user name or password.
MD5 is initialised as follows (
http://en.wikipedia.org/wiki/Md5 ):
Code: Select all
var int h0 := 0x67452301
var int h1 := 0xefcdab89
var int h2 := 0x98badcfe
var int h3 := 0x10325476
So what you will have to do is run the md5 code with the initial 64 byte string and save the values of h0-h3. You can then use these as initialisation values to your own version of md5 and hash the $remoteAddr.$time[2].$time[3].$time[4].$time[5] part.
Overall, a very messy but possible solution.