On Sep 6, 2008, at 3:53 PM, Platonides wrote:
Richard K Miller wrote:
It appears the user.user_password field changed
in the upgrade from
1.12 to 1.13, but I didn't see any mention of it in the Release
Notes.
I'm using $wgPasswordSalt = false so I can connect mod_auth_mysql to
the user table for password protection. (See my blog post at
http://tinyurl.com/y7ue8k)
In MediaWiki 1.13, with password salting turned off, the password 32
byte MD5 hash is now prepended with a letter and the user_id. For
example:
76cecfa967423834abdbd1c8a8ac4125 (user_password in 1.12)
:B:1:76cecfa967423834abdbd1c8a8ac4125 (user_password in 1.13)
Could someone please point me to information about this change? Is it
possible to disable this password prefix so it will continue to be
only an MD5 hash?
It was documented three months ago on wikitech-l. Shoul dbe on release
notes, though.
http://thread.gmane.org/gmane.science.linguistics.wikipedia.technical/38503
In the new format, you would need to prefix with ":A:" the md5 hashes.
You probably need to modify crypt() on User.php to avoid generation of
passwords in the new format.
Thanks for this update.
Would it make sense to introduce a new configuration directive to
indicate the the password is unsalted AND unprefixed? For example,
$wgPasswordPrefix = false ?
Work-arounds for connecting mod_auth_mysql to MediaWiki 1.13 include
these:
1. Modify crypt() in User.php (not ideal)
2. Modify and recompile mod_auth_mysql (not ideal)
3. Create a MySQL VIEW that returns user_name and the latter portion
of user_password (my current solution)
4. Introduce a new configuration directive, such as $wgPasswordPrefix