dhis 2.17 Password Algorithm

Hi all,

A happy New Year to everyone, and may 2015 be a happy, healthy and prosperous year for us all!

I know related questions have been asked in the past, but I thought this one worth asking anyway:

We need to be able to add a user/password to an instance “externally” to dhis 2.x – i.e. either through PostgreSQL or by injecting a line into an .sql dump or something similar. The instance need not be running at the time.

If I recall correctly, the algorithm used to encrypt the password in the Db changed at some point (I may be wrong), so for the purposes of this question assume that this applies only to versions 2.17 or higher.

A couple of points come to mind:

  1.   What would be the best way to achieve what we need, in Oslo’s opinion?
    
  2.   Can usernames be assigned to an OrgUnit at the same time?
    
  3.   Can a password be decrypted from an .sql file using the same algorithm?
    

Many thanks and kind regards,

Jason.

Hi Jason,

DHIS2 currently uses Bcrypt for encryption of the passwords.

By far the easiest way achieve what you want is to create an XML (DXF2) payload of the user(s) you need to create and import that into DHIS2. The password in XML can be clear text,and will be encrypted by DHIS2 upon import.

Yes, users can be assigned to orgunits in this process.

Although it is possible to decrypt the password in the DHIS2 database, it could be a lengthy process requiring the password to be cracked. There is no known algorithm to efficiently decrypt passwords which have been hashed with Bcrypt.

Best regards,

Jason Pickering

···

On Mon, Jan 12, 2015 at 8:05 AM, Jason Phillips jason@hisp.org wrote:

Hi all,

A happy New Year to everyone, and may 2015 be a happy, healthy and prosperous year for us all!

I know related questions have been asked in the past, but I thought this one worth asking anyway:

We need to be able to add a user/password to an instance “externally” to dhis 2.x – i.e. either through PostgreSQL or by injecting a line into an .sql dump or something similar. The instance need not be running at the time.

If I recall correctly, the algorithm used to encrypt the password in the Db changed at some point (I may be wrong), so for the purposes of this question assume that this applies only to versions 2.17 or higher.

A couple of points come to mind:

  1.   What would be the best way to achieve what we need, in Oslo’s opinion?
    
  1.   Can usernames be assigned to an OrgUnit at the same time?
    
  1.   Can a password be decrypted from an .sql file using the same algorithm?
    

Many thanks and kind regards,

Jason.


Mailing list: https://launchpad.net/~dhis2-users

Post to : dhis2-users@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-users

More help : https://help.launchpad.net/ListHelp

Jason P. Pickering
email: jason.p.pickering@gmail.com
tel:+46764147049

You also have the option of creating a DXF/JSON file that can send
invitations to people through the web api. When getting the invite, people
are redirected to a secure page where they can choose their own password.
This is usually more secure, as you don't have to communicate passwords
over email.

https://www.dhis2.org/doc/snapshot/en/developer/html/ch01s37.html

Lars

To further expand on this: bcrypt is a fully portable format which should allow you to generate and authenticate valid credentials using any (sane) implementation. Good implementations are available for most programming languages.

Also, I might be misunderstanding you, but in reference to item #3 on your list: if your design requires you to decrypt password hashes (which is, as Jason P. suggests virtually impossible) it should probably be reconsidered.

If you for some reason need to work with pre 2.17 systems there is a standalone implementation of the DHIS2 password hashing algo available at https://github.com/dhis2/dhispassword

···

2015-01-12 9:18 GMT+01:00 Jason Pickering jason.p.pickering@gmail.com:

Hi Jason,

DHIS2 currently uses Bcrypt for encryption of the passwords.

By far the easiest way achieve what you want is to create an XML (DXF2) payload of the user(s) you need to create and import that into DHIS2. The password in XML can be clear text,and will be encrypted by DHIS2 upon import.

Yes, users can be assigned to orgunits in this process.

Although it is possible to decrypt the password in the DHIS2 database, it could be a lengthy process requiring the password to be cracked. There is no known algorithm to efficiently decrypt passwords which have been hashed with Bcrypt.

Best regards,

Jason Pickering


Mailing list: https://launchpad.net/~dhis2-users

Post to : dhis2-users@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-users

More help : https://help.launchpad.net/ListHelp

On Mon, Jan 12, 2015 at 8:05 AM, Jason Phillips jason@hisp.org wrote:

Hi all,

A happy New Year to everyone, and may 2015 be a happy, healthy and prosperous year for us all!

I know related questions have been asked in the past, but I thought this one worth asking anyway:

We need to be able to add a user/password to an instance “externally” to dhis 2.x – i.e. either through PostgreSQL or by injecting a line into an .sql dump or something similar. The instance need not be running at the time.

If I recall correctly, the algorithm used to encrypt the password in the Db changed at some point (I may be wrong), so for the purposes of this question assume that this applies only to versions 2.17 or higher.

A couple of points come to mind:

  1.   What would be the best way to achieve what we need, in Oslo’s opinion?
    
  1.   Can usernames be assigned to an OrgUnit at the same time?
    
  1.   Can a password be decrypted from an .sql file using the same algorithm?
    

Many thanks and kind regards,

Jason.


Mailing list: https://launchpad.net/~dhis2-users

Post to : dhis2-users@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-users

More help : https://help.launchpad.net/ListHelp

Jason P. Pickering
email: jason.p.pickering@gmail.com
tel:+46764147049

Hi Jason

Expanding yet further - and clearing up terminology - dhis2 does not encrypt the password and store it. If it did, and you had the key, then you could decrypt it. What dhis2 stores is a hash which is something calculated from the password. These hash algorithms are designed to be as irreversable as possible ie. you can calculate the hash from the password (which is what happens when your password is checked when you login) but not the password from the hash. So there is no encryption/decryption key involved.

In general I think Lars’s advice is what you should follow if you can. Creating a bunch of user/password combinations in advance gives you two headaches : (i) how do you generate the passwords? (ii) how do you then securely distribute them?

···

Maybe the one case where you might want to create a user with a pre-generated password is if you are trying to match credentials across systems.

Bob

On 12 January 2015 at 11:41, Halvdan Grelland halvdanhg@gmail.com wrote:

To further expand on this: bcrypt is a fully portable format which should allow you to generate and authenticate valid credentials using any (sane) implementation. Good implementations are available for most programming languages.

Also, I might be misunderstanding you, but in reference to item #3 on your list: if your design requires you to decrypt password hashes (which is, as Jason P. suggests virtually impossible) it should probably be reconsidered.

If you for some reason need to work with pre 2.17 systems there is a standalone implementation of the DHIS2 password hashing algo available at https://github.com/dhis2/dhispassword


Mailing list: https://launchpad.net/~dhis2-users

Post to : dhis2-users@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-users

More help : https://help.launchpad.net/ListHelp

2015-01-12 9:18 GMT+01:00 Jason Pickering jason.p.pickering@gmail.com:

Hi Jason,

DHIS2 currently uses Bcrypt for encryption of the passwords.

By far the easiest way achieve what you want is to create an XML (DXF2) payload of the user(s) you need to create and import that into DHIS2. The password in XML can be clear text,and will be encrypted by DHIS2 upon import.

Yes, users can be assigned to orgunits in this process.

Although it is possible to decrypt the password in the DHIS2 database, it could be a lengthy process requiring the password to be cracked. There is no known algorithm to efficiently decrypt passwords which have been hashed with Bcrypt.

Best regards,

Jason Pickering


Mailing list: https://launchpad.net/~dhis2-users

Post to : dhis2-users@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-users

More help : https://help.launchpad.net/ListHelp

On Mon, Jan 12, 2015 at 8:05 AM, Jason Phillips jason@hisp.org wrote:

Hi all,

A happy New Year to everyone, and may 2015 be a happy, healthy and prosperous year for us all!

I know related questions have been asked in the past, but I thought this one worth asking anyway:

We need to be able to add a user/password to an instance “externally” to dhis 2.x – i.e. either through PostgreSQL or by injecting a line into an .sql dump or something similar. The instance need not be running at the time.

If I recall correctly, the algorithm used to encrypt the password in the Db changed at some point (I may be wrong), so for the purposes of this question assume that this applies only to versions 2.17 or higher.

A couple of points come to mind:

  1.   What would be the best way to achieve what we need, in Oslo’s opinion?
    
  1.   Can usernames be assigned to an OrgUnit at the same time?
    
  1.   Can a password be decrypted from an .sql file using the same algorithm?
    

Many thanks and kind regards,

Jason.


Mailing list: https://launchpad.net/~dhis2-users

Post to : dhis2-users@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-users

More help : https://help.launchpad.net/ListHelp

Jason P. Pickering
email: jason.p.pickering@gmail.com
tel:+46764147049

Hi Bob/Jason P/Lars/all,

Many thanks for your responses/input!

Perhaps my specific reasons for my request would clear up the requirement:

We normally have three “copies” of any one instance running at any given time: a LIVE system, a STAGING system, and a TRAINING system. The STAGING system is used for testing changes to the LIVE without actually affecting the LIVE, for obvious reasons.

We want to regularly update the STAGING database with a copy of the LIVE – but, in so doing, inject a superuser account that can be used for login by our support/technical/data staff; people that we would ideally like NOT to have access to the LIVE system.

I would (ideally) like this to happen during our automated backup process, so something scripted would be great. The injected username/password would remain reasonably stable, but for security reasons we would like to be able to change it from time to time.

Any suggestion which presupposes an existing (presumably) super-user account poses a problem in that each database has different super-users, and the password for each is neither known to me nor stable or consistent.

For example, I do not have login/access to most of the DHIS2 databases we host, but I am required occasionally to log in to assist with technical queries. Using the method described above, I can be given super-user access to a copy of the system without having login creds for the real deal.

I hope that clarifies? Any suggestions would greatly appreciated.

Kind regards,

Jason.

···

From: Dhis2-users [mailto:dhis2-users-bounces+jason=hisp.org@lists.launchpad.net] On Behalf Of Bob Jolliffe
Sent: 12 January 2015 02:15 PM
To: Halvdan Grelland
Cc: DHIS 2 Users List; Henk Brink
Subject: Re: [Dhis2-users] dhis 2.17 Password Algorithm

Hi Jason

Expanding yet further - and clearing up terminology - dhis2 does not encrypt the password and store it. If it did, and you had the key, then you could decrypt it. What dhis2 stores is a hash which is something calculated from the password. These hash algorithms are designed to be as irreversable as possible ie. you can calculate the hash from the password (which is what happens when your password is checked when you login) but not the password from the hash. So there is no encryption/decryption key involved.

In general I think Lars’s advice is what you should follow if you can. Creating a bunch of user/password combinations in advance gives you two headaches : (i) how do you generate the passwords? (ii) how do you then securely distribute them?

Maybe the one case where you might want to create a user with a pre-generated password is if you are trying to match credentials across systems.

Bob

On 12 January 2015 at 11:41, Halvdan Grelland halvdanhg@gmail.com wrote:

To further expand on this: bcrypt is a fully portable format which should allow you to generate and authenticate valid credentials using any (sane) implementation. Good implementations are available for most programming languages.

Also, I might be misunderstanding you, but in reference to item #3 on your list: if your design requires you to decrypt password hashes (which is, as Jason P. suggests virtually impossible) it should probably be reconsidered.

If you for some reason need to work with pre 2.17 systems there is a standalone implementation of the DHIS2 password hashing algo available at https://github.com/dhis2/dhispassword

2015-01-12 9:18 GMT+01:00 Jason Pickering jason.p.pickering@gmail.com:

Hi Jason,

DHIS2 currently uses Bcrypt for encryption of the passwords.

By far the easiest way achieve what you want is to create an XML (DXF2) payload of the user(s) you need to create and import that into DHIS2. The password in XML can be clear text,and will be encrypted by DHIS2 upon import.

Yes, users can be assigned to orgunits in this process.

Although it is possible to decrypt the password in the DHIS2 database, it could be a lengthy process requiring the password to be cracked. There is no known algorithm to efficiently decrypt passwords which have been hashed with Bcrypt.

Best regards,

Jason Pickering

On Mon, Jan 12, 2015 at 8:05 AM, Jason Phillips jason@hisp.org wrote:

Hi all,

A happy New Year to everyone, and may 2015 be a happy, healthy and prosperous year for us all!

I know related questions have been asked in the past, but I thought this one worth asking anyway:

We need to be able to add a user/password to an instance “externally” to dhis 2.x – i.e. either through PostgreSQL or by injecting a line into an .sql dump or something similar. The instance need not be running at the time.

If I recall correctly, the algorithm used to encrypt the password in the Db changed at some point (I may be wrong), so for the purposes of this question assume that this applies only to versions 2.17 or higher.

A couple of points come to mind:

  1.   What would be the best way to achieve what we need, in Oslo’s opinion?
    
  1.   Can usernames be assigned to an OrgUnit at the same time?
    
  1.   Can a password be decrypted from an .sql file using the same algorithm?
    

Many thanks and kind regards,

Jason.


Mailing list: https://launchpad.net/~dhis2-users
Post to : dhis2-users@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-users
More help : https://help.launchpad.net/ListHelp

Jason P. Pickering
email: jason.p.pickering@gmail.com
tel:+46764147049


Mailing list: https://launchpad.net/~dhis2-users
Post to : dhis2-users@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-users
More help : https://help.launchpad.net/ListHelp


Mailing list: https://launchpad.net/~dhis2-users
Post to : dhis2-users@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-users
More help : https://help.launchpad.net/ListHelp

Here’s another approach:

Create the superuser account in the production system by hand. Copy out the hashed password from a SQL query:

select password from users where username=’…’;

Set the password to null in the production system to effectively disable the account. Then as a part of your batch procedure, enable the password in the STAGING system with an update command like:

update users set password = ‘…’ where username=’…’;

Cheers,

Jim

···

On Mon, Jan 12, 2015 at 9:32 AM, Jason Phillips jason@hisp.org wrote:

Hi Bob/Jason P/Lars/all,

Many thanks for your responses/input!

Perhaps my specific reasons for my request would clear up the requirement:

We normally have three “copies” of any one instance running at any given time: a LIVE system, a STAGING system, and a TRAINING system. The STAGING system is used for testing changes to the LIVE without actually affecting the LIVE, for obvious reasons.

We want to regularly update the STAGING database with a copy of the LIVE – but, in so doing, inject a superuser account that can be used for login by our support/technical/data staff; people that we would ideally like NOT to have access to the LIVE system.

I would (ideally) like this to happen during our automated backup process, so something scripted would be great. The injected username/password would remain reasonably stable, but for security reasons we would like to be able to change it from time to time.

Any suggestion which presupposes an existing (presumably) super-user account poses a problem in that each database has different super-users, and the password for each is neither known to me nor stable or consistent.

For example, I do not have login/access to most of the DHIS2 databases we host, but I am required occasionally to log in to assist with technical queries. Using the method described above, I can be given super-user access to a copy of the system without having login creds for the real deal.

I hope that clarifies? Any suggestions would greatly appreciated.

Kind regards,

Jason.

From: Dhis2-users [mailto:dhis2-users-bounces+jason=hisp.org@lists.launchpad.net] On Behalf Of Bob Jolliffe
Sent: 12 January 2015 02:15 PM
To: Halvdan Grelland
Cc: DHIS 2 Users List; Henk Brink
Subject: Re: [Dhis2-users] dhis 2.17 Password Algorithm

Hi Jason

Expanding yet further - and clearing up terminology - dhis2 does not encrypt the password and store it. If it did, and you had the key, then you could decrypt it. What dhis2 stores is a hash which is something calculated from the password. These hash algorithms are designed to be as irreversable as possible ie. you can calculate the hash from the password (which is what happens when your password is checked when you login) but not the password from the hash. So there is no encryption/decryption key involved.

In general I think Lars’s advice is what you should follow if you can. Creating a bunch of user/password combinations in advance gives you two headaches : (i) how do you generate the passwords? (ii) how do you then securely distribute them?

Maybe the one case where you might want to create a user with a pre-generated password is if you are trying to match credentials across systems.

Bob

On 12 January 2015 at 11:41, Halvdan Grelland halvdanhg@gmail.com wrote:

To further expand on this: bcrypt is a fully portable format which should allow you to generate and authenticate valid credentials using any (sane) implementation. Good implementations are available for most programming languages.

Also, I might be misunderstanding you, but in reference to item #3 on your list: if your design requires you to decrypt password hashes (which is, as Jason P. suggests virtually impossible) it should probably be reconsidered.

If you for some reason need to work with pre 2.17 systems there is a standalone implementation of the DHIS2 password hashing algo available at https://github.com/dhis2/dhispassword

2015-01-12 9:18 GMT+01:00 Jason Pickering jason.p.pickering@gmail.com:

Hi Jason,

DHIS2 currently uses Bcrypt for encryption of the passwords.

By far the easiest way achieve what you want is to create an XML (DXF2) payload of the user(s) you need to create and import that into DHIS2. The password in XML can be clear text,and will be encrypted by DHIS2 upon import.

Yes, users can be assigned to orgunits in this process.

Although it is possible to decrypt the password in the DHIS2 database, it could be a lengthy process requiring the password to be cracked. There is no known algorithm to efficiently decrypt passwords which have been hashed with Bcrypt.

Best regards,

Jason Pickering

On Mon, Jan 12, 2015 at 8:05 AM, Jason Phillips jason@hisp.org wrote:

Hi all,

A happy New Year to everyone, and may 2015 be a happy, healthy and prosperous year for us all!

I know related questions have been asked in the past, but I thought this one worth asking anyway:

We need to be able to add a user/password to an instance “externally” to dhis 2.x – i.e. either through PostgreSQL or by injecting a line into an .sql dump or something similar. The instance need not be running at the time.

If I recall correctly, the algorithm used to encrypt the password in the Db changed at some point (I may be wrong), so for the purposes of this question assume that this applies only to versions 2.17 or higher.

A couple of points come to mind:

  1.   What would be the best way to achieve what we need, in Oslo’s opinion?
    
  1.   Can usernames be assigned to an OrgUnit at the same time?
    
  1.   Can a password be decrypted from an .sql file using the same algorithm?
    

Many thanks and kind regards,

Jason.


Mailing list: https://launchpad.net/~dhis2-users
Post to : dhis2-users@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-users
More help : https://help.launchpad.net/ListHelp

Jason P. Pickering
email: jason.p.pickering@gmail.com
tel:+46764147049


Mailing list: https://launchpad.net/~dhis2-users
Post to : dhis2-users@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-users
More help : https://help.launchpad.net/ListHelp


Mailing list: https://launchpad.net/~dhis2-users
Post to : dhis2-users@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-users
More help : https://help.launchpad.net/ListHelp


Mailing list: https://launchpad.net/~dhis2-users

Post to : dhis2-users@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-users

More help : https://help.launchpad.net/ListHelp

Ah that is much more straightforward (I think). If it is just a single admin user, not many users, then the method of Jason Pickering would be straightforward. As would simply inserting a known hash code using sql. Both are easily scriptable. If you are doing as part of your backup and restore processes then I’d just do the whole lot with sql. Either as Jim has just outlined or simply insert the admin user with password hash.

···

On 12 January 2015 at 14:32, Jason Phillips jason@hisp.org wrote:

Hi Bob/Jason P/Lars/all,

Many thanks for your responses/input!

Perhaps my specific reasons for my request would clear up the requirement:

We normally have three “copies” of any one instance running at any given time: a LIVE system, a STAGING system, and a TRAINING system. The STAGING system is used for testing changes to the LIVE without actually affecting the LIVE, for obvious reasons.

We want to regularly update the STAGING database with a copy of the LIVE – but, in so doing, inject a superuser account that can be used for login by our support/technical/data staff; people that we would ideally like NOT to have access to the LIVE system.

I would (ideally) like this to happen during our automated backup process, so something scripted would be great. The injected username/password would remain reasonably stable, but for security reasons we would like to be able to change it from time to time.

Any suggestion which presupposes an existing (presumably) super-user account poses a problem in that each database has different super-users, and the password for each is neither known to me nor stable or consistent.

For example, I do not have login/access to most of the DHIS2 databases we host, but I am required occasionally to log in to assist with technical queries. Using the method described above, I can be given super-user access to a copy of the system without having login creds for the real deal.

I hope that clarifies? Any suggestions would greatly appreciated.

Kind regards,

Jason.

From: Dhis2-users [mailto:dhis2-users-bounces+jason=hisp.org@lists.launchpad.net] On Behalf Of Bob Jolliffe
Sent: 12 January 2015 02:15 PM
To: Halvdan Grelland
Cc: DHIS 2 Users List; Henk Brink
Subject: Re: [Dhis2-users] dhis 2.17 Password Algorithm

Hi Jason

Expanding yet further - and clearing up terminology - dhis2 does not encrypt the password and store it. If it did, and you had the key, then you could decrypt it. What dhis2 stores is a hash which is something calculated from the password. These hash algorithms are designed to be as irreversable as possible ie. you can calculate the hash from the password (which is what happens when your password is checked when you login) but not the password from the hash. So there is no encryption/decryption key involved.

In general I think Lars’s advice is what you should follow if you can. Creating a bunch of user/password combinations in advance gives you two headaches : (i) how do you generate the passwords? (ii) how do you then securely distribute them?

Maybe the one case where you might want to create a user with a pre-generated password is if you are trying to match credentials across systems.

Bob

On 12 January 2015 at 11:41, Halvdan Grelland halvdanhg@gmail.com wrote:

To further expand on this: bcrypt is a fully portable format which should allow you to generate and authenticate valid credentials using any (sane) implementation. Good implementations are available for most programming languages.

Also, I might be misunderstanding you, but in reference to item #3 on your list: if your design requires you to decrypt password hashes (which is, as Jason P. suggests virtually impossible) it should probably be reconsidered.

If you for some reason need to work with pre 2.17 systems there is a standalone implementation of the DHIS2 password hashing algo available at https://github.com/dhis2/dhispassword

2015-01-12 9:18 GMT+01:00 Jason Pickering jason.p.pickering@gmail.com:

Hi Jason,

DHIS2 currently uses Bcrypt for encryption of the passwords.

By far the easiest way achieve what you want is to create an XML (DXF2) payload of the user(s) you need to create and import that into DHIS2. The password in XML can be clear text,and will be encrypted by DHIS2 upon import.

Yes, users can be assigned to orgunits in this process.

Although it is possible to decrypt the password in the DHIS2 database, it could be a lengthy process requiring the password to be cracked. There is no known algorithm to efficiently decrypt passwords which have been hashed with Bcrypt.

Best regards,

Jason Pickering

On Mon, Jan 12, 2015 at 8:05 AM, Jason Phillips jason@hisp.org wrote:

Hi all,

A happy New Year to everyone, and may 2015 be a happy, healthy and prosperous year for us all!

I know related questions have been asked in the past, but I thought this one worth asking anyway:

We need to be able to add a user/password to an instance “externally” to dhis 2.x – i.e. either through PostgreSQL or by injecting a line into an .sql dump or something similar. The instance need not be running at the time.

If I recall correctly, the algorithm used to encrypt the password in the Db changed at some point (I may be wrong), so for the purposes of this question assume that this applies only to versions 2.17 or higher.

A couple of points come to mind:

  1.   What would be the best way to achieve what we need, in Oslo’s opinion?
    
  1.   Can usernames be assigned to an OrgUnit at the same time?
    
  1.   Can a password be decrypted from an .sql file using the same algorithm?
    

Many thanks and kind regards,

Jason.


Mailing list: https://launchpad.net/~dhis2-users
Post to : dhis2-users@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-users
More help : https://help.launchpad.net/ListHelp

Jason P. Pickering
email: jason.p.pickering@gmail.com
tel:+46764147049


Mailing list: https://launchpad.net/~dhis2-users
Post to : dhis2-users@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-users
More help : https://help.launchpad.net/ListHelp


Mailing list: https://launchpad.net/~dhis2-users
Post to : dhis2-users@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-users
More help : https://help.launchpad.net/ListHelp


Mailing list: https://launchpad.net/~dhis2-users

Post to : dhis2-users@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-users

More help : https://help.launchpad.net/ListHelp

Thanks everyone for your assistance; I will let you know how it goes!

Kind regards,

Jason.

···

From: Bob Jolliffe [mailto:bobjolliffe@gmail.com]
Sent: 12 January 2015 04:59 PM
To: Jason Phillips
Cc: DHIS 2 Users List; Henk Brink
Subject: Re: [Dhis2-users] dhis 2.17 Password Algorithm

Ah that is much more straightforward (I think). If it is just a single admin user, not many users, then the method of Jason Pickering would be straightforward. As would simply inserting a known hash code using sql. Both are easily scriptable. If you are doing as part of your backup and restore processes then I’d just do the whole lot with sql. Either as Jim has just outlined or simply insert the admin user with password hash.

On 12 January 2015 at 14:32, Jason Phillips jason@hisp.org wrote:

Hi Bob/Jason P/Lars/all,

Many thanks for your responses/input!

Perhaps my specific reasons for my request would clear up the requirement:

We normally have three “copies” of any one instance running at any given time: a LIVE system, a STAGING system, and a TRAINING system. The STAGING system is used for testing changes to the LIVE without actually affecting the LIVE, for obvious reasons.

We want to regularly update the STAGING database with a copy of the LIVE – but, in so doing, inject a superuser account that can be used for login by our support/technical/data staff; people that we would ideally like NOT to have access to the LIVE system.

I would (ideally) like this to happen during our automated backup process, so something scripted would be great. The injected username/password would remain reasonably stable, but for security reasons we would like to be able to change it from time to time.

Any suggestion which presupposes an existing (presumably) super-user account poses a problem in that each database has different super-users, and the password for each is neither known to me nor stable or consistent.

For example, I do not have login/access to most of the DHIS2 databases we host, but I am required occasionally to log in to assist with technical queries. Using the method described above, I can be given super-user access to a copy of the system without having login creds for the real deal.

I hope that clarifies? Any suggestions would greatly appreciated.

Kind regards,

Jason.

From: Dhis2-users [mailto:dhis2-users-bounces+jason=hisp.org@lists.launchpad.net] On Behalf Of Bob Jolliffe
Sent: 12 January 2015 02:15 PM
To: Halvdan Grelland
Cc: DHIS 2 Users List; Henk Brink
Subject: Re: [Dhis2-users] dhis 2.17 Password Algorithm

Hi Jason

Expanding yet further - and clearing up terminology - dhis2 does not encrypt the password and store it. If it did, and you had the key, then you could decrypt it. What dhis2 stores is a hash which is something calculated from the password. These hash algorithms are designed to be as irreversable as possible ie. you can calculate the hash from the password (which is what happens when your password is checked when you login) but not the password from the hash. So there is no encryption/decryption key involved.

In general I think Lars’s advice is what you should follow if you can. Creating a bunch of user/password combinations in advance gives you two headaches : (i) how do you generate the passwords? (ii) how do you then securely distribute them?

Maybe the one case where you might want to create a user with a pre-generated password is if you are trying to match credentials across systems.

Bob

On 12 January 2015 at 11:41, Halvdan Grelland halvdanhg@gmail.com wrote:

To further expand on this: bcrypt is a fully portable format which should allow you to generate and authenticate valid credentials using any (sane) implementation. Good implementations are available for most programming languages.

Also, I might be misunderstanding you, but in reference to item #3 on your list: if your design requires you to decrypt password hashes (which is, as Jason P. suggests virtually impossible) it should probably be reconsidered.

If you for some reason need to work with pre 2.17 systems there is a standalone implementation of the DHIS2 password hashing algo available at https://github.com/dhis2/dhispassword

2015-01-12 9:18 GMT+01:00 Jason Pickering jason.p.pickering@gmail.com:

Hi Jason,

DHIS2 currently uses Bcrypt for encryption of the passwords.

By far the easiest way achieve what you want is to create an XML (DXF2) payload of the user(s) you need to create and import that into DHIS2. The password in XML can be clear text,and will be encrypted by DHIS2 upon import.

Yes, users can be assigned to orgunits in this process.

Although it is possible to decrypt the password in the DHIS2 database, it could be a lengthy process requiring the password to be cracked. There is no known algorithm to efficiently decrypt passwords which have been hashed with Bcrypt.

Best regards,

Jason Pickering

On Mon, Jan 12, 2015 at 8:05 AM, Jason Phillips jason@hisp.org wrote:

Hi all,

A happy New Year to everyone, and may 2015 be a happy, healthy and prosperous year for us all!

I know related questions have been asked in the past, but I thought this one worth asking anyway:

We need to be able to add a user/password to an instance “externally” to dhis 2.x – i.e. either through PostgreSQL or by injecting a line into an .sql dump or something similar. The instance need not be running at the time.

If I recall correctly, the algorithm used to encrypt the password in the Db changed at some point (I may be wrong), so for the purposes of this question assume that this applies only to versions 2.17 or higher.

A couple of points come to mind:

  1.   What would be the best way to achieve what we need, in Oslo’s opinion?
    
  1.   Can usernames be assigned to an OrgUnit at the same time?
    
  1.   Can a password be decrypted from an .sql file using the same algorithm?
    

Many thanks and kind regards,

Jason.


Mailing list: https://launchpad.net/~dhis2-users
Post to : dhis2-users@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-users
More help : https://help.launchpad.net/ListHelp

Jason P. Pickering
email: jason.p.pickering@gmail.com
tel:+46764147049


Mailing list: https://launchpad.net/~dhis2-users
Post to : dhis2-users@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-users
More help : https://help.launchpad.net/ListHelp


Mailing list: https://launchpad.net/~dhis2-users
Post to : dhis2-users@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-users
More help : https://help.launchpad.net/ListHelp


Mailing list: https://launchpad.net/~dhis2-users
Post to : dhis2-users@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-users
More help : https://help.launchpad.net/ListHelp