SSHA vs SSHA toggle

[anilj]

I use one of the later PHP versions and it defaults to using SSHA512. I would like a configurable option that can use SSHA instead.

We have several applications that use SSHA right now and it'll be easier to "test" habari if SSHA can be used.

[arthus]

I'd say this is beyond the scope of Habari. If it is implemented, it should be an option hidden pretty deep-down. The average user doesn't even know what SSHA is. Heck, even I barely do.

[skippy]

Our Utils::crypt() method should default to using the strongest hash mechanism it can. Here's the bit where it decides what hash to use:

                if ( $hash == NULL ) {
                        // encrypt
                        if ( function_exists( 'hash' ) ) { // PHP >= 5.1.2
                                return self::ssha512( $password, $hash );
                        }
                        else {
                                return self::ssha( $password, $hash );
                        }
                }

So if you're using a PHP version that supports the hash() function, we use ssha512. See line 514 for the ssha512() method implementation.

Or am I misunderstanding what it is you want?

[anilj]

I see that logic but couldn't this be a configuration option that can be setup in config.php? The encryption scheme should be selectable as I want to copy the passwords from another database that uses SSHA into Habari - that would provide flexibility. I think my view of Habari is that it is designed for hosting environments and the thing is in a lot of hosting environments, there are centralized areas where user/password information is stored.

if my_hash:

hash = my_hash

else:

hash = auto_detect_best_hash()

[moeffju]

Our authentication process is pluggable, it should be possible for you to just authenticate - however you wish - against an existing user database.