Forum: 

A newbie stuck with a firstboot script problem building a new appliance

Hi. My first post, and I'm not sure if I should even ask here or go searching in Python forums :)

I am most of the way through building an appliance for SLIMS8 [ Google Senayan SLIMS, or search for SLIMS on Github ] , having successfully drawn upon scripts from LAMP, Moodle, and Xoops appliances.

SLIMS8 stores its internal user passwords using bcrypt ( so far as I can ascertain from the SLIMS code e.g

passwd = '".password_hash($retype_password, PASSWORD_BCRYPT)."',

in several php files in the application. )

I used a modified XOOPS script - xoops.py to successfuly do a first boot request for the SLIMS application 'admin' password and email, and write the input to the database, thus:

    hash = hashlib.md5(password).hexdigest()

    m = MySQL()
    m.execute('UPDATE senayandb.user SET passwd=\"%s\" WHERE username=\"admin\";' % hash)
    m.execute('UPDATE senayandb.user SET email=\"%s\" WHERE username=\"admin\";' % email)

In fact this allows me to login to the application as admin, through a piece of luck!!

Earlier versions of SLIMS used md5 for password hashing, so for upgrade purposes the developers have included code which triggers an "Enter new password" when a user first logs in using an md5 password, and forces rentry of any password with the improved bcrypt hashing :)

Obviously this is not the best solution for end users of the the appliance. So how do I proceed to get rid of md5 in the above code and replace it with bcrypt? My Python knowledge is extremely limited.

More questions about the final build of the appliance will follow, but this is my last real hurdle before taking it out of TKLDEV and into Github.

It's been a learning curve, but I have my head around most of TKLDEV now. I have my eye on a couple more library appliances once this one is done .

Jeremy Davis's picture

First of all, welcome to TurnKey and congrats on your virgin post! :) And what a great first post too! TBH, it's not that often that a first post from a user is asking about a potential contribution!

With regard to using bcrypt, there is a python module (called bcrypt!) which will do what you want. Make sure that you add it to the plan; the full/proper package name is 'python-bcrypt'. Then obviously import it first, then use it as per the Concrete5 appliance. I.e. something like this:

[...]

import bcrypt

[...]

    salt = bcrypt.gensalt()
    hashpass = bcrypt.hashpw(password, salt)

[...]

I hope that heads you in the right direction. FWIW there are quite a few other apps which also use python-bcrypt in the inithook, although as they use almost identical code, I won't list them exhaustively. 2 minor variations though that I might highlight.

SilverStripe and GitLab both include '10' within the 'gensalt'; i.e. bcrypt.gensalt(10). From a brief read, it seems that the number there is how many rounds of "logarithmic work" is done to generate the salt. Apparently it defaults to 12, so I'd leave it empty unless you have a need to change it.

Ghost and Mumble both condense the above 2 lines into a single line:

[...]

import bcrypt

[...]

    hashpw = bcrypt.hashpw(password, bcrypt.gensalt())

[...]
It doesn't really matter which way you go, although personally I'd be inclined to stick to the 2 lines as it's marginally easier reading. But I'm not attached, so it's your call on that.

Good luck and please keep me posted on how you go.

The Concrete5 appliance was a great hint! It's all working fairly well now - just a bit of testing and tidying to do before I go more public :)

Thanks, and I'll let you know when I put it up on Github

 

Jeremy Davis's picture

Fantastic, I look forward to it! :)

I've done the Candidate page for SLIMS, and the Whiteboard page [ with link to beta iso ] . Still a couple of things to do before putting build on my Github account.

 

Jeremy Davis's picture

Please also open an issue on the tracker, when you're ready (even if it's not ready yet).

You can post links to the whiteboard page there (as the first post on the issue) and then update that (i.e the top post) it with your repo once you push to GitHub. You won't be able to tag it yourself, but I'll take care of that as soon as I see it.

When you're ready for me to have a look, please just comment on the issue. Probably best to do a new comment when you're ready (unless you're ready when you first post).

Just so you're pre-warned, I'm not sure when we'll be able to add your appliance to the library. Unfortunately we're at an awkward point in the release cycle at the moment. We've just finished the v14.2 release (I'm still doing the last final tidy up, but otherwise it's done). We're not keen to add any new appliances to this release now.

Whilst I have started work on moving the infrastructure to Debian Stretch (for v15.0). But it's far from ready to work on and I'm blocking further progress while I try to finally shut the door on v14.2.

As soon as I have finally done with v14.2, hopefully the v15.0 pace will pick up a bit.

Absolutely no problem about delays in adding to the official library. I still have plenty of learning and tweaking to do anyhow.

Whiteboard here : https://github.com/turnkeylinux/tracker/wiki/SLIMS

Jeremy Davis's picture

WRT the PECL install, if it's just a simple carriage return that's required, then something like this may do the trick:
echo | <command-that-expects-you-to-hit-enter-goes-here...>

You can echo any text you like, but obviously it will only be a line at most.

When you need more complex input, you can write "answers" text which can be fed into the command. This is often called a "here document" (I don't know why?) E.g., feeding a carriage return, a 'y' and the bash path into a "command":

command <<EOF
 
y
/bin/bash
EOF

Note the '<<EOF' at the end of the command line, and again at the very end of the statement. Everything between those pointers will be literally passed to "command", so you won't want any leading space (the "command" line can still be indented, but not from then on until after the second 'EOF'). Any special characters which you don't want interpreted (e.g. if you want to include a '$') need to be escaped (e.g. '\$').

Hope that helps... :)

echo | pecl install yaz

was exactly what was needed.

Thanks

Post new comment