在drupal中将用户特定的盐添加到用户密码中
我正在将一个相当大的 asp 站点迁移到 drupal。我已经成功迁移了大部分内容,现在我在迁移用户时遇到了一些麻烦。
在 ASP 站点中,每个成员都有一个密码和一个 salt 列,当登录时,他们提供的密码会附加 salt 和 sha1 加密,然后与数据库密码进行比较。
我如何在 drupal 6 中实现这个? Drupal 6 默认没有 salt。我发现了一个 drupal salt 模块,但它非常简单,并且只存储站点范围的 salt 值。
我是否需要向用户表添加盐列并向drupal6登录功能添加一些自定义逻辑?我意识到这是一种不好的做法,因为将应用程序升级到更高版本的 drupal 可能会出现问题。但无论如何,我们正在使用一堆 drupal 6 特定模块,所以我觉得升级到 drupal 7 将是一场噩梦。以前有人遇到过这个问题吗?什么是最简单的(该死的固定费率网络工作:)绕过它的好方法?
基本上,我在 ASP 应用程序中有一个用户表,其中包括以下列
:密码哈希 |盐|等等
我需要一些方法将其迁移到 Drupal 中。
I am migrating over a reasonably large asp site to drupal. I have managed to migrate over most of the content now I am having a little trouble with migrating over the users.
In the ASP site each member has a password and a salt column, when logging in their their provided password is appended with the salt and sha1 encrypted and then compared against the db password.
How do i implement this in drupal 6? Drupal 6 doesnt have salt by default. I found a drupal salt module but its incredibly simplistic and only stores a sitewide salt value.
Do I need to add a salt column to the user table and add some custom logic to the drupal6 login function? I realise this is somewhat bad practice in that upgrading the application to a later version of drupal could be problematic. But we are using a bunch of drupal 6 specific modules anyways so I feel that upgrading to drupal 7 will be a nightmare regardless. Has anyone had this problem before? What is the easiest (damn fixed rate web jobs :) good way to get around it?
Basically I have a users table in an ASP app that include the following columns:
Name | Password_hash | Salt | etc
I need some way to migrate this into Drupal.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我不确定这在 Drupal 6 中是如何工作的,但 Drupal 7 实现了在比较字符串中与数据库密码进行比较时使用的盐。当查看password.inc中的_password_crypt()时,$salt被定义为
其中$setting变量是数据库密码的前12个字符。
然后将盐添加到 $password 之前。
重要的是要考虑到这种散列会进行多次,以显着提高安全性。为了知道它被哈希了多少次,数据库密码的第二个字符(实际上是在 $ 符号之间)用于了解重复次数。该字符与名为 itoa64 的字符串进行比较,因此该字符的位置是 log2 次重复次数。
我所说的 log2 重复次数 是指实际次数将是该次数的 2 次方。因此,考虑到第一个数字在 7 到 30 之间,重复次数在 128 到 1 073 741 824 之间。
最后,加密的密码以 base64 进行编码、检查(比较编码前后的长度)并返回通过 user_check_password 或由 user_hash_password 用于存储使用
_password_generate_salt()生成的随机哈希值。I'm not sure how this worked in Drupal 6, but Drupal 7 implements the salt used when comparing to the db password is in the compared string. When looking at _password_crypt() in password.inc, the $salt is defined as
Where the $setting variable is the first 12 characters of the db password.
The salt if then prepended to the $password.
It is important to take into account that this hashing is done many times, as to increment notably the security. In order to know how many times it is hashed, the second character of the db password (it actually is between to $ signs) is used to know the number of repetitions taken. This character is compared to a string called itoa64, so the position of this char is the log2 number of repetitions.
What I mean by log2 number of repetitions is that the actual number will be 2 to the power of that number. So, having into account the first number is between 7 and 30, the number of repetitions is between 128 and 1 073 741 824.
Finally, the encrypted password is encoded in base64, checked (compare its length before and after the encoding) and returned to be compared by the user_check_password or used by user_hash_password for storage with a random hash generated with
_password_generate_salt().为此,我强烈建议使用 密码模块 1.0 分支。它使您能够提供自己的自定义password.inc 文件来确定如何对密码进行散列和检查。
I would highly suggest the Password module 1.0 branch for this purpose. It provides you with the ability to provide your own custom password.inc file to determine how passwords should be hashed and checked.