Hello/Hi/Greetings,
I have a phpbb forum and external_authentication true so I can login to piwigo using the same credentials. Updating phpbb has changed the hashing function to argon2i which has unfortunately rendered me (and everyone else) unable to logon to piwigo with the following error:
crypt(): Supplied salt is not valid for DES. Possible bug in provided salt format.
I suspect I need to change $conf['password_hash'] to use argon2i, but I do not know how to do this. Can anyone help?
Piwigo version: 2.10.2
PHP version: 7.2.29
edit: I have tried:
$conf['password_hash'] = create_function('$s', 'return password_hash($s, PASSWORD_ARGON2I);');
in local config file but no dice
the error is line 272 in include/passwordhash.class.php
edit2: Seem to have fixed it with
$conf['password_verify'] = create_function('$pass,$hash', 'return password_verify($pass, $hash);');
I hate messing with auth stuff so please tell me if I've opened a huge security hole with this..
Last edited by jaws (2020-06-30 21:28:28)
Offline
Hi jaws, have a similar problem.
I'm using:
php 7.4.9
piwigo
phpbb 3.3.1
tried to change it to the following (cause create_function is deprecated):
$hash = $this->crypt_private($password, $stored_hash); if ($hash[0] == '*') $conf['password_verify'] = function ($pass, $hash) {return password_verify($pass, $hash);}; return $hash === $stored_hash;
Errors are gone, but "wrong password" comes up.
any ideas?
Offline
ARGH, my vault. don't have to change the passwordhash.class.php
Changed the line in config.inc.php:
old:
$conf['password_verify'] = 'pwg_password_verify';
new:
$conf['password_verify'] = function ($pass, $hash) {return password_verify($pass, $hash);};
Offline