Password decryption issue with basic multi authentication script

By: Monika Leung user 17 Mar 2021 at 8:31 a.m. CDT

8 Responses
Monika Leung gravatar
Hi, I have installed the [basic multi authentication script](https://github.com/GluuFederation/oxAuth/tree/master/Server/integrations/basic.multi_auth_conf) and encountered an issue with the password decryption used in that script. According to the installation guide, the password can be encoded with the encode.py script located at /opt/gluu/bin/. I used it to encode the password and have set it to the config json file. When I activate the script, I can see the following error in oxauth_script.log: ``` 2021-03-17 13:21:17,160 INFO [oxAuthScheduler_Worker-3] [org.gluu.service.PythonService$PythonLoggerOutputStream] (PythonService.java:243) - Basic (multi auth conf). Initialization 2021-03-17 13:21:17,239 ERROR [oxAuthScheduler_Worker-3] [org.gluu.service.custom.script.CustomScriptManager] (CustomScriptManager.java:438) - Failed to initialize custom script: 'org.gluu.persist.exception.operation.ConfigurationException: Failed to create LDAP connection pool! Result code: '49 (invalid credentials)'' 2021-03-17 13:21:17,239 DEBUG [oxAuthScheduler_Worker-3] [org.gluu.service.custom.script.CustomScriptManager] (CustomScriptManager.java:393) - Using default external type class 2021-03-17 13:21:17,252 DEBUG [oxAuthScheduler_Worker-3] [org.gluu.service.custom.script.CustomScriptManager] (CustomScriptManager.java:450) - Executing python 'destroy' custom script method ``` If I change the script to use clear text for the password, the script initialises successfully. What is the correct method to encode the password so it can work with the decryption in the basic multi authentication script?
Gluu 4.2.3 Debian 10.0
closed

Answers

By Mobarak Hosen Shakil staff 20 Mar 2021 at 12:26 p.m. CDT

Copy
Mobarak Hosen Shakil gravatar
Hi, Use below command to encrypt/decrypt password using `encode.py`: First of all, login in gluu chroot, then: To encode: ``` /opt/gluu/bin/encode.py "Password" ``` To decode: ``` /opt/gluu/bin/encode.py -D "2viKqd8JwCnJFQjsRnhaag==" ``` Regards ~ Shakil

By Monika Leung user 22 Mar 2021 at 8:06 a.m. CDT

Copy
Monika Leung gravatar
Thanks for the response! I did use the mentioned script to encode the password. As a test I executed your example but received a different encoding: ``` # /opt/gluu/bin/encode.py "Password" FFDK5QDlrruY3c6obHkRAQ== ``` If I run your decode example, the script returns an empty line: ``` # /opt/gluu/bin/encode.py -D "2viKqd8JwCnJFQjsRnhaag==" ``` Any ideas? In case it helps, I'll put the content of `/opt/gluu/bin/encode.py` ``` #!/usr/bin/python3 import sys import base64 from pyDes import * saltFn = "/etc/gluu/conf/salt" f = open(saltFn) salt_property = f.read() f.close() key = salt_property.split("=")[1].strip() def obscure(data=""): engine = triple_des(key, ECB, pad=None, padmode=PAD_PKCS5) data = data.encode('utf-8') en_data = engine.encrypt(data) return base64.b64encode(en_data).decode('utf-8') def unobscure(s=""): engine = triple_des(key, ECB, pad=None, padmode=PAD_PKCS5) cipher = triple_des(key) decrypted = cipher.decrypt(base64.b64decode(s), padmode=PAD_PKCS5) return decrypted.decode('utf-8') def Usage(): print("To encode: encode <string>") print("To decode: encode -D <string>") print() sys.exit(0) arg = "" decode = False if len(sys.argv) == 1: Usage() if len(sys.argv) == 3: decode = True arg = sys.argv[2] if len(sys.argv) == 2: arg = sys.argv[1] if decode: print(unobscure(arg)) else: print(obscure(arg)) ```

By Mobarak Hosen Shakil staff 22 Mar 2021 at 10:20 a.m. CDT

Copy
Mobarak Hosen Shakil gravatar
Hi, As far as I know, there is a salt(key) in `/etc/gluu/conf/salt` which is vary from server to server. So, you should not get the same encoded text as i got. To decode your encoded text: ``` /opt/gluu/bin/encode.py -D "FFDK5QDlrruY3c6obHkRAQ==" ``` It should return as "Password". Well, `encode.py` file seems identically okay. Can you please make sure the `salt` aviable in `/etc/gluu/conf`? please run below command to ensure that: ``` cat /etc/gluu/conf/salt ``` You must get a secret key. Thanks & Regards ~ Shakil

By Monika Leung user 25 Mar 2021 at 6:51 a.m. CDT

Copy
Monika Leung gravatar
Thanks for the explanation. I get "Password" when I decode it with the script. I ran the command and received an output starting with `encodeSalt = `. I have double-checked by encoding and decoding the password and made sure I copied the encoded password correctly into the configuration file. Sadly I am still facing the issue that during script initialisation I receive a "invalid credentials" error when I use the encoded password. Are there any other things I could check?

By Mobarak Hosen Shakil staff 25 Mar 2021 at 9:49 a.m. CDT

Copy
Mobarak Hosen Shakil gravatar
That means `encode.py` is working fine. Can you please share the JSON file which is used for basic authentication? Regards ~ Shakil

By Monika Leung user 25 Mar 2021 at 9:58 a.m. CDT

Copy
Monika Leung gravatar
Here is the JSON file, I replaced some information with "xxx": ``` { "ldap_configuration": [ { "configId":"eantc_ad", "servers":["xxx.xxx.xxx:389"], "bindDN":"cn=gluu,ou=Services,ou=Accounts,dc=xxx,dc=xxx,dc=xxx", "bindPassword":"<encoded password>", "useSSL":false, "maxConnections":3, "baseDNs":["ou=Users,ou=Accounts,dc=xxx,dc=xxx,dc=xxx"], "loginAttributes":["sAMAccountName"], "localLoginAttributes":["uid"] } ] } ```

By Mobarak Hosen Shakil staff 29 Mar 2021 at 8:55 a.m. CDT

Copy
Mobarak Hosen Shakil gravatar
Thank you Monika Leung for sharing the json file. An update for you, I have tested `basic multi authentication` and replicate the same issue. I had a conversation with our Dev Team. If I get any further updates, I will share them with you. Thanks & Regards ~ Shakil

By Mobarak Hosen Shakil staff 08 Apr 2021 at 10:23 a.m. CDT

Copy
Mobarak Hosen Shakil gravatar
Hi Monika Leung, An issue has been created: https://github.com/GluuFederation/oxAuth/issues/1531 Hope It will be fixed soon in the next release. Thanks and Regards, ~ Shakil

Post an answer