search

nextcloud / server

☁️ Nextcloud server, a safe home for all your data
https://nextcloud.com
GNU Affero General Public License v3.0
26.31k stars 3.96k forks source link

Unable to login after Fedora 31>32 upgrade #21100

Closed DidierLmn closed 3 years ago

DidierLmn commented 4 years ago

How to use GitHub

Steps to reproduce

  1. Have running Nextcloud instance on Fedora 31
  2. Upgrade to Fedora 32, with PHP 7.4
  3. No user is able to login.

Actual behaviour

No user can login. All users have argon2i hash for passwords, but after upgrade neither the PASSWORD_ARGON2I nor the PASSWORD_ARGON2ID variables are available to PHP. After the installation of the php-sodium package, users can log in again.

Expected behaviour

If passwords were previously hashed using a currently unavailable hashing algorithm, a message could be shown or log message written, notifying user/admin of the issue. Alternatively maybe a check for php-sodium when running occ check.

Server configuration

Operating system: Fedora 32

Web server: nginx 1.18

Database: PostgreSQL 12

PHP version: 7.4.6

Nextcloud version: 18.0.4

kesselb commented 4 years ago

The constants below are always available as part of the PHP core.

https://www.php.net/manual/en/password.constants.php

I'm a bit puzzled that those constants are not available.

DidierLmn commented 4 years ago

Strange indeed. I tried to verify the existence of the constants before I had the php-sodium package installed.

$ php -v
PHP 7.4.6 (cli) (built: May 12 2020 08:09:15) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Zend OPcache v7.4.6, Copyright (c), by Zend Technologies

$ php -r 'echo PASSWORD_BCRYPT;'            
2y%                                                           

$ php -r 'echo PASSWORD_ARGON2I;'            
PHP Warning:  Use of undefined constant PASSWORD_ARGON2I - assumed 'PASSWORD_ARGON2I' (this will throw an Error in a future version of PHP) in Command line code on line 1
PASSWORD_ARGON2I%                                            

$ php -r 'echo PASSWORD_ARGON2ID;'            
PHP Warning:  Use of undefined constant PASSWORD_ARGON2ID - assumed 'PASSWORD_ARGON2ID' (this will throw an Error in a future version of PHP) in Command line code on line 1
PASSWORD_ARGON2ID%

After having installed the package the constants are available

$ php -r 'echo PASSWORD_ARGON2I;' 
argon2i% 

$ php -r 'echo PASSWORD_ARGON2ID;'
argon2id%
kesselb commented 4 years ago

https://forum.remirepo.net/viewtopic.php?id=3961 https://github.com/remicollet/remirepo/issues/137

Hmm. php-sodium should be a hard dependency now? Probably that change were to late for Fedora 32?

DidierLmn commented 4 years ago

It seems so. I don't use a custom repo, but the default Fedora repo for PHP, from what I gather from the linked topics it doesn't have to be a hard dependency if PHP is built with the right options (which Fedora 32 apparently doesn't do), it is just better. So I'm not entirely sure how you could go about solving this actually.

HidingCherry commented 3 years ago

I just ran into the very same issue and only stumbled on this after I saw that the new passwords have "2y" in the database, while the old ones have "argon2i".

Please add some error message to what is going on, I haven't seen any password-related error message in any log.

kesselb commented 3 years ago

Thanks for reminding me about this report.

https://forum.remirepo.net/viewtopic.php?id=3961 remicollet/remirepo#137

This needs to be fixed upstream by Fedora. On PHP 7.3 the algorithm is available. After update to PHP 7.4 you need a new package. That's totally confusing.

Closing the report as this affects every PHP application using PASSWORD_ARGON2I. Please talk with the people maintaing the PHP packages for Fedora to make sure aragon2i is always present.