Jump to content

Error: Unable to Generate Hash when trying to login into Admin


sam
 Share

Recommended Posts

Hi, I'm new to Processwire and I have to say that after reading through your forum and some of your tutorials I have taken the plunge and installed PW and quite like the CMF/CMS that you have developed and congratulate you and your communities efforts to date.

I have come up against a problem when trying to develop between multiple environments i.e. dev, staging, production. The problem I am facing is that after doing and ProcessWire 2.2.13 installation (without problems) on my dev environment and then I move the site to staging or another developers environment, when I try to login to the Administration area I get a error "Unable to generate password hash". I have tried to empty cache, both browser and physical files and still get the error message and I can't login to the control panel.

My Staging environments is running Apache 2 and PHP 5.2.17 (can't upgrade to 5.3 or 5.4 due to another cms legacy issue) and my Dev environment runs on MAMP 2.0 with Apache 2 and PHP 5.2.17 also.

I have checked AMP logs and can't see anything out of the ordinary there. Just wondering if I'm missing anything. Any help would be greatly appreciated.

Cheers Sambo.

Link to comment
Share on other sites

OK, I think this might be a PHP 5.2.17 error, if I change MAMP to use PHP 5.3.14 the error goes away and I can login, but my production server is running 5.2.17 so bit stuck here, is there some way to set this to a legacy encrypt/decrypt setting?

Link to comment
Share on other sites

I have php 5.2.9 and works all well. I don't think there legacy version.

As I said earlier you might check if $config->userAuthHashType = "sha1" is supported by your server or need different setting.

Also check php info to see if mcrypt blowfish is installed and what hash engines are available.

Link to comment
Share on other sites

That error message is coming from this file:

/wire/core/Password.php

if(!is_string($hash) || strlen($hash) <= 13) throw new WireException("Unable to generate password hash");

It sounds like the server supports Blowfish but when PHP is asked to return a blowfish hash, PHP's crypt function is returning an error for one reason or another. 

ProcessWire only uses $config->userAuthHashType if the server does not support blowfish. The reality is, it's a bad idea to use anything less when blowfish is available. But in your case, it sounds like we've got the server reporting "I can do blowfish" and then bowing out when we ask it to do so. What you might want to try to do is modify that Password.php file and change this function:

public function supportsBlowfish() {
  return defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH;
}
to this:
 
public function supportsBlowfish() {
  return false;
}

If that fixes it, please let me know. I can add a config option to bypass blowfish

Link to comment
Share on other sites

I actually got this same error just today on one dev site. It has been running dev versions and when trying to change password it threw that error. I updated to latest dev and still same. But just for this one user, others and new ones work just fine.

Link to comment
Share on other sites

@sam, @apeisa: can you replace the line that says this (in /wire/core/Password.php):

if(!is_string($hash) || strlen($hash) <= 13) throw new WireException("Unable to generate password hash");

with this:

if(!is_string($hash) || strlen($hash) <= 13) 
  throw new WireException("pass=$pass | hash=$hash | hashType=$hashType | salt1=$salt1");

Let me know what it says? I'm curious what sort of data is in there. 

Link to comment
Share on other sites

No probs, following is the error output:

pass=mXXXXXX | hash=$2sNTd9VF43kk | hashType=blowfish | salt1=$2y$11$pTGSdPI7.YVGe70VuRhF6e

Just to clarify, I still have this function set as well:  

public function supportsBlowfish() { return false; }

and the following for salt:

$config->userAuthSalt = '572fe5f9277ca75a16f78330eb3a0279';

field_password table in the database shows the following:

pages_id   data                               salt
41         FDUxEZx7t/1FDuDfB0wcwJrNSJ5rN/6    $2a$11$kPxOgAJBU6.fnYF0cE0jh.

Cheers Sambo

Link to comment
Share on other sites

Sounds like a bug in is_string() in PHP 5.2.17 or perhaps the string with the leading dollar in it is being interpolated by PHP somehow leading to a string that is shorter than 13 characters. What do you get for this...

$hash = '$2'; // Make sure you use single quotes here please.
if (!is_string($hash)) {
    echo "Buggy";
} else {
    echo "Interpolation maybe?";
}

...?

Edited to add: Ignore the above, I posted at about 5am after an all-night bug hunt.

Possibly unrelated: there are reports of Crypt() differences coming in between different PHP versions. Sorry I don't have time to look at this more but very busy at the moment.

Link to comment
Share on other sites

pass=mXXXXXX | hash=$2sNTd9VF43kk | hashType=blowfish | salt1=$2y$11$pTGSdPI7.YVGe70VuRhF6e

That part I underlined and bolded above is revealing. What type of hash is indicated by $2s? It's not documented with PHP. Blowfish uses $2y, $2x and $2a. I incorrectly assumed that the '$2' set was reserved for blowfish, and looking at this, clearly it's not. It looks to me like it must have fallen back to some kind of DES encryption, but I honestly have no idea what it is. I'm just glad we had that check in there to throw the error, and glad you came here to report it. :) I've updated the isBlowfish() function to specifically check for only $2y, $2x and $2a and assume anything else is not blowfish.

Can you try out the attached Password.php file to replace /wire/core/Password.php?

Password.php

You will have to reset the password for any accounts that have this unknown hash, as that hash is not portable across systems. You can reset a password from the API like this:

$u = $users->get('sam');
$u->of(false);
$u->pass = 'new-password';
$u->save();

Or you can just do it from the admin when logged into a superuser account. 

One other thing to note is that if your passwords are defined on a PHP 5.3.x or newer installation, and then migrated to an [older] PHP 5.2.x installation, the passwords will no longer work. This is because PHP 5.2.x doesn't have the ability to generate blowfish hashes (at least not the kind that are useful for passwords). So if our live server is PHP 5.2 and your dev is 5.3 or newer, only set your passwords on the live server.

I also want to recommend moving any PHP 5.2 installs to 5.3. We will be dropping support for PHP 5.2 either in ProcessWire 2.4 or 2.5, as we move to PSR-0 and namespace support. 

Link to comment
Share on other sites

Hi Ryan, I replaced the Password.php file and tried to change the user password but I kept getting "Internal 500 Errors" every time I tried to run it through a template or via the API from command line. Anyway I found it easier to actually setup another site in MAMP whilst I was using PHP version 5.2, then copy the "$config->userAuthSalt" setting to my existing config.php and the values in the "field_pass" database table to the existing sites database from the temporary site I setup. This now allows me to login and create extra users. 

All working now, until I upgrade my server to php 5.4 which will be in the next couple weeks, I'll remember to keep the PHP version to 5.2 both in Dev and Production environments.

Cheers Sambo.

  • Like 1
Link to comment
Share on other sites

Hi Ryan, I replaced the Password.php file and tried to change the user password but I kept getting "Internal 500 Errors" every time I tried to run it through a template or via the API from command line.

You should be able to get more detail by checking your log file: /site/assets/logs/errors.txt

All working now, until I upgrade my server to php 5.4 which will be in the next couple weeks, I'll remember to keep the PHP version to 5.2 both in Dev and Production environments.

The ideal situation would be to upgrade both to PHP 5.4. But if you can't upgrade the production environment and don't want to downgrade your dev environment, you could set that supportsBlowfish() function in Password.php to always return false. However, I would look at finding a way to get the production environment upgraded because ProcessWire 2.3 is likely the last version that will work on PHP 5.2 (though that's not yet certain). 

Link to comment
Share on other sites

  • 4 weeks later...
  • 1 month later...

Hi, just migrated one project to production server. My dev enviroment have PHP 5.4 and production server have only version 5.3.3-7.

So i had error: Unable to Generate Hash....

I solved it this way:

1. On localhost logged as admin

2. Changed file Password.php

from

public function supportsBlowfish() {
        return version_compare(PHP_VERSION, '5.3.0') >= 0 && defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH;
    }
 

to

public function supportsBlowfish() {
        /* HOSTING FIX */
        return version_compare(PHP_VERSION, '5.4.0') >= 0 && defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH;
    }
 

3. Changed admin password in users setup

4. Copied new values from local DB table field_pass (data,salt) to production DB.

This WORKAROUND fixed login problem.

Looks like we need better check in Password.php

Link to comment
Share on other sites

Blowfish hashing was added to PHP in 5.3, so any version 5.3 and newer supports it. However, a security problem was found in versions of PHP 5.3 prior to 5.3.7, so they fixed it. Newer versions of PHP are still compatible with the old, but versions prior to 5.3.7 are not compatible with passwords generated on newer versions of PHP. Since your host is using PHP 5.3.3, this is likely why you ran into an issue. But a commercial hosting provider should probably not be using a PHP version earlier than 5.3.7 due to that security issue. So the workaround is probably not a good idea since it is circumventing that. I strongly recommend asking your host to upgrade the PHP version.

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...