I try to upgrade drupal 6 installation to drupal 7.x on mysql 5.1.49 and php 5.3.3-3 on Debian Lenny. Everything works fine except one. update.php script changes the settings.php file and place $drupal_password_salt there. I have for example:
$drupal_password_salt = 'oEbTwrnPGqQzoLPoNJK_PuhaknDFAuyOVULUKzKHebU';
Users have password hashes starting with "U$S$", which means they must be updated to drupal 7 format on first login. Example password hash:
U$S$9U5ugggFwojvcRi.JpYAgVxc1E5DFmUpsgX1VWjS7CiQE7gfFHcm
After first login, passwords change to the correct "$S$" format. For password above I have in database:
$S$CH/.qVXkYzE6vWu52.uZUfcfbdf.vxyAdJztrGd8TZISaSUtBcIX
...and I can't login again. I wrote a script which uses modified user_check_password() function and write on stdout correct hash for my password. It is:
$S$CH/.qVXkYGlvdZM2ho35FnZ.BjhX7G.87CJTzOG8X5CaMmK/9Mpa

What can be wrong?

Comments

naheemsays’s picture

subscribe - I am investigating this on a test upgrade too, but thought it may have been a different module responsible.

EDIT - I dont have any drupal password salt in settings.php and the hash salt is set to '' (so empty string). I am also using the logintoboggan module.

wikp’s picture

Title: Rehashed passwords after Drupal 6 upgrade fail » after upgrade from drupal 6.x I can login only once
Category: bug » support
Priority: Critical » Major
Issue tags: -D7 upgrade path

I had these 3rd party modules installed:
taxonomy_menu, adminblock, modr8, taxonomy_router, notifications, taxonomy_treemenu, blog_addons, openx, captcha, taxonomyblocks, token, pathauto, plus1, userpoints, google_analytics, invite, rules, views, ip_anon, jquerymenu, memcache, votingapi (1), messaging, tagadelic, workflow, xmlsitemap

All of them, except "votingapi", I've uninstalled before upgrade.

$drupal_hash_salt was added in d6->d7 upgrade process.

wikp’s picture

Category: support » bug
StatusFileSize
new1.64 KB

Update:
I've tested it three times on clean drupal 6.20 install (without content, third party modules, etc) on two linux hostings and I've got same results.

Steps to reproduce:
1. Install drupal 6.20
2. remove all files from www directory except sites folder
3. copy drupal 7-rc3 files to www directory (overwrite sites/README.txt and sites/default/default.settings.php)
4. Run update.php script
5. Go to front page
6. If you're logged in - logout
7. Login (success) - in this step password hash is changed in database
8. Logout
9. Login (fails)

Examples of hashes, etc:

drupal_hash_salt = XT9zxHAbF3leDXuG11tlRC_6nLoi-nTSH_jZxQNKqL0  (from settings.php; salt is created after access update.php)
password_hash_after_upgrade = U$S$9SNMppTgyxNnR3e2jdN2vfosDT/qDgLV7p5GNWRlO4yOfLmGl/yn
password_hash_after_first_login = $S$C8/FTF/6SFH63XaUOb.2NXx38Pbb2iAYhBI10A218WDQNnL0dQyf
password_hash_that_works = $S$C8/FTF/6SQaw4Bq4A8roVUSI0eFCQH1N/P9qUD1704KwS9c1x2zj (works after manually update in database: update users set pass = '...' where name='admin';

I've attached script that help me to find correct hash (used with drush scr).

I've checked how it works in API docs and find that user_authenticate() function use user_hash_password() function to get hash of plain-text password after upgrade on first login. user_hash_password() as $setting variable for _password_crypt() use random string generated by _password_generate_salt(). But user_check_password() as $setting use substr($account->pass, 1), and as $password - md5($password). But I'm not sure if this is the solution.

I've tested in on RC and -dev.

catch’s picture

Title: after upgrade from drupal 6.x I can login only once » After upgrade from drupal 6.x I can login only once
Priority: Major » Critical

Bumping this to critical, this could be irrepairable on upgraded 6 sites (apart from a password reset).

catch’s picture

Issue tags: +D7 upgrade path

Reproduced.

1. Install D6 site.
2. Upgrade it to D7.
3. Log in.
5. Log out.
6. Log in again - fails with unrecognised password.

catch’s picture

Title: After upgrade from drupal 6.x I can login only once » Rehashed passwords after Drupal 6 upgrade fail
wikp’s picture

Title: after upgrade from drupal 6.x I can login only once » Rehashed passwords after Drupal 6 upgrade fail
Category: support » bug
Priority: Major » Critical
Issue tags: +D7 upgrade path

I temporarily made two changes in local copy of user.module (after upgrade) and it works. I'm almost sure that these changes will break something in a different place (registration?), so I don't attach a diff. But I think this may be helpful for module maintainer.

These changes are:
user.module#2186, function user_authenticate(), add line:

if ($new_hash) {
  $new_hash = _password_crypt('sha512', $password, $new_hash); /* change here */
  user_save($account, array('pass' => $new_hash));
}

user.module#412, function user_save(), comment line:

require_once DRUPAL_ROOT . '/' . variable_get('password_inc', 'includes/password.inc');
//$edit['pass'] = user_hash_password(trim($edit['pass'])); /* change here */
// Abort if the hashing failed and returned FALSE
carlos8f’s picture

Status: Active » Needs review
StatusFileSize
new944 bytes

Here's a test to reproduce the issue, CNR for bot.

carlos8f’s picture

StatusFileSize
new1.65 KB

I definitely introduced this regression in #991270: password_count_log2 var out of bounds is a sorry mess.

Formerly we used a direct query to update the 'pass' field, which was chucked in favor of user_save(). But I neglected that user_save() expects 'pass' to be a plaintext password, and it hashes it internally. There was no test coverage to catch it at the time, unfortunately.

chx’s picture

Status: Needs review » Reviewed & tested by the community

This is unfortunate indeed. Some user passwords might be double encoded -- the only thing they can do is to ask for a reset. Unfortunate...but does not affect all users only those who logged in since RC3 was released and deployed on a D6 upgraded site. I suspect that's not a huge number.

wikp’s picture

carlos8f’s picture

#8 rightfully fails, which illustrates the bug. #9 includes that test and the appropriate fix. Let's get this in ASAP.

webchick’s picture

Status: Reviewed & tested by the community » Fixed

Crap. :\ Is it worth rolling another RC for this?

Committed to HEAD. Thanks!

carlos8f’s picture

Since RC3 we've also had #1005004: Editing a comment destroys its creation date, but this is the bigger of the two, definitely. Maybe one more RC would be good so we can say we had at least one RC without criticals :)

catch’s picture

I think this is worth another RC. Nice work tracking it down and fixing so quickly carlos8f.

Status: Fixed » Closed (fixed)
Issue tags: -D7 upgrade path

Automatically closed -- issue fixed for 2 weeks with no activity.