The authentication with ep_hash_auth does not work

[ghost]

Hello, I have following issue, I set up an CentOS Server with nginx, nodejs and etherpad. Everything works fine but I struggle with the configuration of ep_hash auth.

I set it up like GitHub said and I can generate hashes with bcrypt. My Users are stored in /var/etherpad/users/username/.hash the Hash is in the .Hash file and the User who runs etherpad is the owner of that directory. In the Etherpad settings.json I changed the "requireAuthentication to true and made created the Usernames like GitHub said.

What I am doing is, I create the hash for a password create the directory and store the hash in the .hash file. Then I create the User in the etherpad settings.json like

"username": {"is_admin": true, "hash": "b'$2a$10$cyh661 ... Z9vyYFQbDK'"} is it correct to split the hash with dots or should I enter the full hash?

I also added this in my settings.json right under the point "users"

"ep_hash_auth": { "hash_typ": "sha512", "hash_dig": "hex", "hash_dir": "/var/etherpad/users", "hash_ext": "/.hash", "hash_adm": false, "displayname_ext": "/.displayname" },

It would be really great if somebody could help me or maybe explain how he is working with the ep_hash_auth plugin.

Thank you in advance

[LaKing]

It should be sufficient to create hash files, and then there is no need to additionally specify them in settings.json. The usual use case is you either specify it as a file or as an entry under the user's username. ...

The ep_hash_auth section of the config is not part of the users section! If placed under users it will assume an user called ep_hash_auth and won't configure the system. This is why your config is not working.

[JohnMcLear]

Thanks @LaKing for taking time to help / advise. We're promoting ep_hash_auth to all users now on first run so it could be that usage goes up and ergo user issues so thanks for handling them! :+1:

[ghost]

It should be sufficient to create hash files, and then there is no need to additionally specify them in settings.json. The usual use case is you either specify it as a file or as an entry under the user's username. ...

The ep_hash_auth section of the config is not part of the users section! If placed under users it will assume an user called ep_hash_auth and won't configure the system. This is why your config is not working.

Thank you for your answer but it doesn't work either. Could you explain to me step by step what I have to do?

Could there be an issue with python3? Cause GitHub generates the hashes with python?

[nscomputing]

Running Etherpad-lite 1.8.4 with ep_hash_auth 3.0.1

I can confirm that user authentication using "ep_hash_auth" doesn't work.

With settins.json with 'ep_hash_auth' configuration, in logs I can see:

[2020-09-16 20:24:33.310] [INFO] console - You can access your Etherpad instance at http://127.0.0.1:9001/ [2020-09-16 20:24:33.310] [WARN] console - Admin username and password not set in settings.json. To access admin please uncomment and edit 'users' in settings.json [2020-09-16 20:40:08.709] [INFO] console - Error: Failed authentication attempt for admin: no authentication found

When 'ep_hash_auth' is commented out and 'users' configuration is populated with users data in config.json everything is working as expected.

[JohnMcLear]

I'm gonna try find time to bring ep_hash_auth into the Etherpad tests so we test functionality on commit.

[JohnMcLear]

@nscomputing for now, try latest develop branch to see if it works

[nscomputing]

@nscomputing for now, try latest develop branch to see if it works

Thanks for reply.

Will try to find some time tomorrow to try etherpad-lite develop branch.

[nscomputing]

Just tried the latest etherpad-lite develop branch.

When users blob with hashes is in the settings.json authentication works. If users hashes are in external files and config for ep_hash_auth is in settings.json I can see in console:

[2020-09-17 18:38:29.208] [WARN] console - Admin username and password not set in settings.json. To access admin please uncomment and edit 'users' in settings.json

and authentication failed.

[all-good-names-were-already-taken]

I have a similar issue of not understanding how this should be configured correctly.

It should be sufficient to create hash files, and then there is no need to additionally specify them in settings.json. The usual use case is you either specify it as a file or as an entry under the user's username. ...

If I do this I still get the console message about "Admin username and password not set in settings.json".

Also the only way I was able to get the whole thing to even allow me to login was to edit the following line in ep_hash_auth.js:

compareHashes(password, contents, function(hashType) {

to:

compareHashes(password, contents.trim(), function(hashType) {

Because no matter whichever way I tried to add hashes to .hash, they would always appear with a newline when compared, which caused the authentication to fail. I could use truncate -s -1 .hash but then if I had a lot of users, that would get tedious. So, if you could share how you add hashes to .hash that would be most appreciated. I've tried redirection. Copy and pasting. I've gone into vim and assured there were no more than one line but the newline would still appear when compared.

If I try to login as a user and purposely enter the wrong password I see:

[2020-11-09 09:22:09.785] [INFO] http - Failed authentication from IP 192.168.0.101 - no such user

This happens for all users except admin. For admin it either gives 'no such user' or 'incorrect password' I don't know why sometimes it is one and sometimes the other..

I also don't understand how to only allow one user to be admin and the rest not to be. If I set hash_adm to true then everyone is admin and if I set it to false no one is admin. The only way I can think of would be to edit ep_hash_auth.js some more to either check if a user is named admin to change hash_adm to true.

I don't know why I get these issues and others do not. I'm obviously doing something very wrong but I don't know what that is. Thanks for any help that can be provided.

[hawkinsw]

I have a similar issue of not understanding how this should be configured correctly.

It should be sufficient to create hash files, and then there is no need to additionally specify them in settings.json. The usual use case is you either specify it as a file or as an entry under the user's username. ...

If I do this I still get the console message about "Admin username and password not set in settings.json".

Also the only way I was able to get the whole thing to even allow me to login was to edit the following line in ep_hash_auth.js:

compareHashes(password, contents, function(hashType) {

to:

compareHashes(password, contents.trim(), function(hashType) {

Because no matter whichever way I tried to add hashes to .hash, they would always appear with a newline when compared, which caused the authentication to fail. I could use truncate -s -1 .hash but then if I had a lot of users, that would get tedious. So, if you could share how you add hashes to .hash that would be most appreciated. I've tried redirection. Copy and pasting. I've gone into vim and assured there were no more than one line but the newline would still appear when compared.

If I try to login as a user and purposely enter the wrong password I see:

[2020-11-09 09:22:09.785] [INFO] http - Failed authentication from IP 192.168.0.101 - no such user

This happens for all users except admin. For admin it either gives 'no such user' or 'incorrect password' I don't know why sometimes it is one and sometimes the other..

I also don't understand how to only allow one user to be admin and the rest not to be. If I set hash_adm to true then everyone is admin and if I set it to false no one is admin. The only way I can think of would be to edit ep_hash_auth.js some more to either check if a user is named admin to change hash_adm to true.

I don't know why I get these issues and others do not. I'm obviously doing something very wrong but I don't know what that is. Thanks for any help that can be provided.

I am getting the exact same issues and going to submit a PR for this right now.

[hawkinsw]

I don't know why I get these issues and others do not. I'm obviously doing something very wrong but I don't know what that is. Thanks for any help that can be provided.

I am getting the exact same issues and going to submit a PR for this right now.

I have found the source of the problem. I was doing two (2) different things in order to create the .hash file and both of them were subtly wrong.

1. Using vi/m
2. Using echo

vi/m will append try to a newline to the end of the data in the file. You can confirm this by using hexdump to look at the contents of the .hash file: $ hexdump -C .hash will show a 0a at the end, a \n.

echo by default will include a newline at the end of the string that you echo so that echo "hash" > .hash will result in a .hash file with a newline at the end.

The solution is to use the -n flag to echo: echo -n "hash" > .hash.

Let me know if that helps!

Will

[FWDekker]

Your mistake is that you use sha512 in your configuration, but use a bcrypt hash. The README is somewhat unclear about this, because it does not explain how to change which type of hash to use, but it does show how to generate various hashes, but does not show how to generate a sha512 hash.

At the same time, @hawkinsw is also right that it's important to make sure the .hash file does not have a trailing newline. With nano, you can simply do nano -L .hash to prevent the addition of a trailing newline. (Though to be honest, I think the comparison function should trim the hash file's input.)

[FWDekker]

Even considering the above comments on ensuring that the hash is created on a password without a newline, and matching the configured hash function with the actually-used hash function, I am still experiencing issues with ep_hash_auth.

If I put the hash with the user's settings in settings.json, everything works as intended. However, if I remove the password from settings.json and put the hash in users/florine/.hash, then authentication works in pads but not on the admin page, which only gives me "Forbidden" when I try to access the page. The log states that the login is successful, but the (debug) log states that I am not an admin, even though I have very clearly set is_admin to true in settings.json.

[milnomada]

I've been following this thread to solve my issues with ep_hash_auth plugin. Posting a configuration that works:

Having the following configured in settings.json:

"users": {
  "admin": {
    "password": "${ADMIN_PASSWORD:null}",
    "is_admin": true
  }
},

"ep_hash_auth": {
  "hash_typ": "sha512",
  "hash_dig": "hex",
  "hash_dir": "/opt/etherpad-lite/users",
  "hash_ext": "/.hash",
  "hash_adm": false,
  "displayname_ext": "/.displayname"
},

For example, for user gus:

1. Generate hash using python:

Do not add a trailing .decode() of any form to gensalt method.

python -c 'import bcrypt; print(bcrypt.hashpw(b"password", bcrypt.gensalt(rounds=10, prefix=b"2a")))'

Output:

b'$2a$10$ttmrfYu7414jsKsUPiyOmOW2OXivLfr5ZHAbSOIU8HyjT0j9E/49e'

2. Copy everything but the starting b character (include the single quotes) and redirect it to ${path}/gus/.hash, where path is configured in the hash_dir option. As mentioned by @hawkinsw, use echo -n to avoid any \n characters to be written into the file but, mind the single quotes here.

   echo -n '$2a$10$ttmrfYu7414jsKsUPiyOmOW2OXivLfr5ZHAbSOIU8HyjT0j9E/49e' /opt/etherpad-lite/users/gus/.hash

   The important thing about the single quotes is that they do not resolve any character within the string.

If you use double quotes:

echo -n "$2a$10$ttmrfYu7414jsKsUPiyOmOW2OXivLfr5ZHAbSOIU8HyjT0j9E/49e"

the hash gets re-encoded, and the output would look like:

a0/lByWLFeTJJSH4eIZYYcCE15aUlBpAQNA9xQYaa

which alters the hash structure and the auth triggers a Failed authentication from IP error.

As you can see, the user gus is not listed in the users object in settings.json file.
I hope this helps.