I use securedsocial to manage the singup and login of my project. The password created by securedsocial stored in the mongodb is as below:
"password" : {
"hasher" : "bcrypt",
"password" : "$2a$10$ttFOX3YrXwQyiUVVRWL1Ku54CediP/Z/pGQ8QOP2YBKL/s87wyGba",
"salt" : null
}
I now want to create a new user manually so i need to know how to encrypt the password the same way as securedsocial. Or if there is any tool to do this?
You can use the PasswordHasher the module uses to hash the passwords and then save them. By default SecureSocial uses BCrypt.
Related
How can I change the admin password for a Glassfish Domain using a password file? I know the conventional method of manually typing the password upon prompt.
However I want to change the admin password using a script where in I do not have to manually type the password.
This is possible, but you will need 2 password files if you want to script this fully in the easiest way.
Create a temporary file (tmpfile in my example) which will hold the current password (blank by default) and the desired new password:
AS_ADMIN_PASSWORD=
AS_ADMIN_NEWPASSWORD=myNewPassword
Now create a password (pwdfile in my example) file which will contain the changed admin password:
AS_ADMIN_PASSWORD=myNewPassword
You can then use the files to change the password using the commands below, making sure to use tmpfile when changing the password, then pwdfile afterwards
$PAYARA_PATH/bin/asadmin start-domain
$PAYARA_PATH/bin/asadmin --user $ADMIN_USER --passwordfile=/opt/tmpfile change-admin-password
$PAYARA_PATH/bin/asadmin --user $ADMIN_USER --passwordfile=/opt/pwdfile enable-secure-admin
$PAYARA_PATH/bin/asadmin restart-domain
This example was adapted from the way the Payara Server dockerfile works
For anyone still interested in manually setting the admin account password:
I tried to generate the contents of the "admin-keyfile" located in "glassfish/domains/{ACTIVE_DOMAIN_NAME}/config/admin-keyfile" based on the current implementation of the Payara Repo. This file (as the data source for the FileRealm) is used to authenticate the admin user when accessing the admin interface under port 4848.
Each line of this text file represents an account and is structured as
USERNAME;PASSWORD;GROUPS
The field "PASSWORD" is prefixed with a hash algorithm keyword (wrapped in curly braces, e.g. "SSHA" or "SSHA256") followed by a BASE64 encoded hash of the concatenated salted hash and the salt value itself (some random bytes):
{SSHA}BASE64(SHA(password,salt),salt)
Long story short: If you want to generate user accounts manually you could for example use the following Python script:
import hashlib
from base64 import b64encode
from secrets import token_bytes
from getpass import getpass
username = 'admin' # input('Username: ')
plainTextPassword = getpass()
randomSalt = token_bytes(8)
passwordHash = hashlib.sha256()
passwordHash.update(plainTextPassword.encode('utf-8'))
passwordHash.update(randomSalt)
passwordDigest = passwordHash.digest()
# cryptic range reflects the strange implementation... feel free to change it to "range(98)"
# https://github.com/payara/Payara/blob/6488cbdc90fd0f6c42de6a42affcd09f697be715/nucleus/common/common-util/src/main/java/org/glassfish/security/common/SSHA.java#L108
for run in range(2, 101):
passwordHash = hashlib.sha256()
passwordHash.update(passwordDigest)
passwordDigest = passwordHash.digest()
saltedHashAndSalt = b64encode(passwordDigest + randomSalt).decode('utf-8')
result = '{0};{{SSHA256}}{1};asadmin'.format(username, saltedHashAndSalt)
print(result)
Insert the console output into the "admin-keyfile" and (re)start your server.
As far as I know, it is impossible to change it via a file as a parameter for security reasons.
You can consider an alternative solution (pipe) but the confirmation of the password is always necessary. https://docs.oracle.com/cd/E19798-01/821-1758/change-admin-password-1/index.html
I am using built in Drupal 7 user module, fore user registration, forgot-your-password-emails and all that stuff.
I have forgotten my admin password. I have access to my website which is hosted on 1and1.com and also have access to mysql?
Is it possible to change password or email address through SQL so that I can access the admin page?
If it possible how? Can you somebody help me with this?
Thanks!
If you have Drush installed, you just have to enter the following command in the terminal from anywhere inside the site root.
drush upwd admin --password=mynewpassword
Here, admin is the user name; who's password will be changed to mynewpassword.
After several research I tried the following code stored it as a php file in the root directory
saved it as password-reset-admin.php
<?php
define('DRUPAL_ROOT', getcwd());
require_once DRUPAL_ROOT . '/includes/bootstrap.inc';
drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
require_once DRUPAL_ROOT . '/includes/password.inc';
if (isset($_GET['pass']) && !empty($_GET['pass'])) {
$newhash = user_hash_password($_GET['pass']);
}
else {
die('Retry with ?pass=PASSWORD set in the URL');
}
$updatepass = db_update('users')
->fields(array(
'pass' => $newhash,
// 'name' => 'admin',
// 'mail' => 'yourmail#domain.com';
))
->condition('uid', '1', '=')
->execute();
print "Done. Please delete this file immediately!";
drupal_exit();
?>
And after that access the php file through the following:
https://yoursite.com/password-reset-admin.php?pass=newpassword
It just worked..:) Hope it helps others.
Please make sure you delete the file.
To change the password, you need to have shell access to your website. If not, download a copy of drupal 7 on your local machine.
Then, open your terminal and navigate to your Drupal 7 root folder. Then type the following command:
./scripts/password-hash.sh NEW_PASSWORD
Replace NEW_PASSWORD with the new password you need.
This will output a new password hash, copy this password and go to your database manager (phpMyAdmin or similar) and change the admin password to newly generated text.
I don't know of other way to do that, because Drupal is not using MD5 anymore and use a hashing algorithm instead.
Change directory to your Drupal's root.
Then generate the new hash.
In case of Drupal 7:
$ php scripts/password-hash.sh 'your-new-pass-here'
Then execute SQL query to update the administrator's password:
UPDATE users_field_data SET pass='$S$Do7UQjqtEELNccdi92eCXcVJ2KnwUeHrSbK3YhFm8oR3lRJQbMB2' WHERE uid = 1;
In case of Drupal 8 path to script will be:
$ php core/scripts/password-hash.sh 'your-new-pass-here'
Update DB:
UPDATE users_field_data SET pass='$S$Do7UQjqtEELNccdi92eCXcVJ2KnwUeHrSbK3YhFm8oR3lRJQbMB2' WHERE uid = 1;
Clean the cache:
DELETE FROM cache_entity WHERE cid = 'values:user:1';
If you have access to database, then...
Go to the users table in your database and change the admin's email to an email that you have access to.
Afterward, head over to yoursite.com/user/password and enter the email that just changed.
Go to your email and click on the reset link to go into your site and reset your password.
Done!
Tested and it works!
With the access to the table "users" in your Database via PhpMyAdmin for example (i.e. this table can have a prefix that you have already mentionned during the Drupal installation part, so yourPrefix_ can be your project's name as mywebsitename_, and in this case you'll have mywebsitename_users).
You should alter the "pass" column associated with the "uid" column with the value 1 (i.e 1 for the admin user account).
As the encrypted value for the password: Admin_12345 is =>
$S$DifCVXg9tNtHadziyyQJQVLAaZzW5EgS6OjR56D.mk8MpNQs1II2
You can accede to your admin account after replacing the old hashed password value stored in your database that you have totally forgotten.
Don't forget to change the password: Admin_12345 after you accede to your account with an other one.
You can generate query here and run the query in database.
Hi i am gooling but without result.
I am trying to check one field in DB while encoding password to user. How?
The service
services:
my_password_encoder:
class: TB\WelcomePageBundle\Security\Encoder\MyPasswordEncoder
<?php
namespace TB\WelcomePageBundle\Security\Encoder;
use Symfony\Component\Security\Core\Encoder\BasePasswordEncoder;
use TB\UserBundle\Entity\User;
class MyPasswordEncoder extends BasePasswordEncoder
{
public function encodePassword($raw, $salt)
{
$user = new User;
$old_or_new=$user->getOldNew();
print_r($user);
print_r($old_or_new);die();
The point:
1. withdrawn one field from DB from current logging user.
2. Depend on the value i need: encode his password MY WAY and log in + CHANGE THE PASSWORD THE SYMFONY WAY and update DB.
3. Depend on the value just use the symfony way.
There is easy condition. The problem is just how i can withdrawn this field + encode password symfony way. (how encode password my way i know). + encode the password not more via my way but symfony and update DB.
My points is to migrate low secure passwords to symfony2. Why? Because i have existing DB where the passwords are encoded my way. So i need to "update" them.
THE MAIN PART OF QUESTION:
HOW CAN I GET THE USERNAME OF USER WHO TRY LOG IN IN ENCODE PASSWORD FUNCTION??? THX!!!
I'd like to e-mail all my users a link to a symfony site that I am writing, and have it so that when they follow that link they are logged in to the site (probably with a special role, like IS_AUTHENTICATED_REMEMBERED), and redirected to a certain page. How can I do this?
So the link would be something like:
http://example.com/?key=[some sort secret key with their account encoded in it]
i'd do something like this: generate the key with a hash function over the username.
Then send them a link to http://example.com/?user=username&hash=the-hash-result.
In the action that will recieve this url you can get the request parameter username and hash, apply the same hash funcion to the username you recived and compare the result to the hash key in the request parameters.
If match, just set the appropiate credentials to the user and log him in
Lets see some code, in your authentication class you should have a function to authenticate a user with the $user and $password parameters. Here or extending this class you can define a funciton like this:
function authenticate($user,$hash-key){
if(hashFunction($user) == $hash-key){
$user->setAuthFunction(true);//sort of
}
}
Hope it helped you!
Not so easy to implement I can tell you but you got to take a look to the UsernamePasswordFormAuthenticationListener::attemptAuthentication method...
Make your own service to atteptAuthentication automaticaly.
Inspired by this message and this code, I wrote a controller that gets the user from the database, verifies the secret key, then fakes a login token as follows:
$providerKey = 'secured_area'; // Name of firewall from security.yml - not sure this is correct.
$token = new UsernamePasswordToken($user, null, $providerKey, array('AUTO_LOGIN'));
$this->container->get('security.context')->setToken($token);
(you need this at the top of your file)
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
It seems to work, and the user has a role of AUTO_LOGIN so I can easily restrict them from accessing more sensitive stuff until they have logged in with a username and password as normal.
i forgot my drupal user id and password. Is there any way to recover it
http://example.com/<path-to-drupal>/user/password should bring you to a page where you can request a reset/new-password.
Edit:
The above path applies if you have 'clean URLs' enabled, if not use http://example.com/<path-to-drupal>/?q=user/password
This solution is valid for Drupal 5 or 6 but not for Drupal 7. This version does not use a standard hashed password. You can get your encoded password running the following command:
php /path_to_drupal_files/scripts/password-hash.sh your_password
Then you can see your password hash. This is the string that you should use in the database to update the admin password. You can use the following SQL query to update the Drupal database.
UPDATE users SET pass='YOUR_PASSWORD_HASH' where uid=1;
If you don't have access to the email (or want to bulk-update the passwords) you can update the database with a query like:
UPDATE users SET pass = md5('NEWPASSWORD') WHERE name = 'admin'