Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Request Tracker>
  3. Users
Upgrading 3.8.4 to 4.0.1 - Root password??
johnathan.bell at baker
Apr 12, 2012, 8:20 AM
Post #1 of 5 (1439 views)
Permalink
I'm working on upgrading our existing installation of RT 3.8.4 to RT 4.0.1, and I've encountered a bit of a strange problem. I can manually change root's password (in RT) to something that I know (such as "password") via a MySQL statement:

-MySQL Code-
UPDATE Users SET Password=md5('password') WHERE Name='root';
-/MySQL Code-

… and then logging in with the set password I choose works. However, if I log out and back in, I can no longer log in again with that same password and must reset it again to gain admin access again. Furthermore, if I set the password in the GUI to something else, it doesn't appear to have an effect either, though this may be caused by the same thing.

What's really weird though, is if I watch the root password entry in the database, the hash changes when I log in. So, say I log in with "password" … it changes to what appears to be a salted SHA hash instead.

Testing this further, I decided to start the DB over from scratch. I ran the upgrade processes, including the vulnerable-passwords script to upgrade the hashes, and that worked with the old password (it even flagged root as an account to update), but once again, after that first log in, I can no longer log back in.

What's the deal? Did I just miss something? What do I need to do to get this working? If I can provide any other useful information, please let me know. This is running on an Ubuntu server (11.10) with the package-managed version of RT, which with Ubuntu is 4.0.1. The database is the only thing I ported over, as there were only a couple of small changes I made to the HTML code, I figured the pages would be different enough that I'd need to just re-do them anyway.

Thanks,
Johnathan

--
Johnathan Bell
Internet System Administrator, Baker College
Office Hours: 7A-4P Eastern, M-F
Re: Upgrading 3.8.4 to 4.0.1 - Root password?? [ In reply to ]
trs at bestpractical
Apr 12, 2012, 8:31 AM
Post #2 of 5 (1366 views)
Permalink
On 04/12/2012 11:20 AM, johnathan.bell@baker.edu wrote:
> … and then logging in with the set password I choose works. However,
> if I log out and back in, I can no longer log in again with that same
> password and must reset it again to gain admin access again.
[snip]
> What's the deal? Did I just miss something? What do I need to do to
> get this working?

This is an indication that you didn't run the database upgrade steps
between 3.8.4 and 4.0.1. Please read the README, UPGRADING-3.8, and
UPGRADING-4.0 docs.
Re: Upgrading 3.8.4 to 4.0.1 - Root password?? [ In reply to ]
trs at bestpractical
Apr 12, 2012, 9:35 AM
Post #3 of 5 (1377 views)
Permalink
Please keep replies on the list.

On 04/12/2012 12:19 PM, johnathan.bell@baker.edu wrote:
> Thanks. I'm glad to know that it's something much simpler than I
> expected. I did read those, but they only mentioned the "standard
> database upgrade process" as far as I could see. Further research says
> that's probably going to be "rt-setup-database --action upgrade" or
> something similar… yes?

Yes. The README refers to `make upgrade-database`. You're running
Ubuntu packages, so the instructions we write aren't exactly the same as
what you'll need to do (they apply to the tarball we ship).

The Ubuntu packages don't run the database upgrades for you; they just
install the new source.

> What about the other parts like secure-passwords, etc… the other random
> "little" scripts in etc/upgrade? Should those be run before or after the
> rt-setup-database cmd?

Most are run after. The docs (docs/UPGRADING*) mention what needs to be
run during the middle of the upgrade.
Re: Upgrading 3.8.4 to 4.0.1 - Root password?? [ In reply to ]
jholl at bgc-jena
Apr 19, 2012, 6:15 AM
Post #4 of 5 (1307 views)
Permalink
We have a fresh installation of RT 4.0.5. with imported data from a former
version.
I can login as root, but there are two issues:

1) When I logoff and I want to logon again, the root password is changed
to somewhat! Than I have to reset it.
I followed the instruction at:
" UPGRADING FROM 3.8.8 and earlier - Changes:
Previous versions of RT used a password hashing scheme which was too
easy to reverse, which could allow attackers with read access to the RT
database to possibly compromise users' passwords. Even if RT does no
password authentication itself, it may still store these weak password
hashes -- using ExternalAuth does not guarantee that you are not
vulnerable! To upgrade stored passwords to a stronger hash,
run: perl etc/upgrade/vulnerable-passwords "

I did that, but it didn't solve the issue.
Can you give me a hint?

2) Our system which is fresh installed:

Ubuntu 10.04.4 LTS

Apache Version Apache/2.2.14 (Ubuntu)
Apache API Version 20051115

PHP Version 5.3.2-1ubuntu4.14
mysql, Client API version 5.1.61
RT 4.0.5

Data of the former version were imported in a mysql-database (that
worked).

When I try to create a new request, I get the error message:
"Anfrage konnte aufgrund eines internen Fehlers nicht angelegt werden"
(query couldn't be created because of an internal error).
The corresponding entry in the access-log is:
ip.ip.ip.ip - - [18/Apr/2012:08:21:14 +0200] "POST /index.html HTTP/1.1"
200 3736
What's the problem of the system?

Kind regards

George



Thomas Sibley wrote:
>
> Please keep replies on the list.
>
> On 04/12/2012 12:19 PM, johnathan.bell@baker.edu wrote:
>> Thanks. I'm glad to know that it's something much simpler than I
>> expected. I did read those, but they only mentioned the "standard
>> database upgrade process" as far as I could see. Further research says
>> that's probably going to be "rt-setup-database --action upgrade" or
>> something similar… yes?
>
> Yes. The README refers to `make upgrade-database`. You're running
> Ubuntu packages, so the instructions we write aren't exactly the same as
> what you'll need to do (they apply to the tarball we ship).
>
> The Ubuntu packages don't run the database upgrades for you; they just
> install the new source.
>
>> What about the other parts like secure-passwords, etc… the other random
>> "little" scripts in etc/upgrade? Should those be run before or after the
>> rt-setup-database cmd?
>
> Most are run after. The docs (docs/UPGRADING*) mention what needs to be
> run during the middle of the upgrade.
>
>

--
View this message in context: http://old.nabble.com/Upgrading-3.8.4-to-4.0.1---Root-password---tp33676179p33713298.html
Sent from the Request Tracker - User mailing list archive at Nabble.com.
Re: Upgrading 3.8.4 to 4.0.1 - Root password?? [ In reply to ]
falcone at bestpractical
Apr 19, 2012, 7:11 AM
Post #5 of 5 (1315 views)
Permalink
On Thu, Apr 19, 2012 at 06:15:56AM -0700, George_Holl wrote:
>
> We have a fresh installation of RT 4.0.5. with imported data from a former
> version.
> I can login as root, but there are two issues:
>
> 1) When I logoff and I want to logon again, the root password is changed
> to somewhat! Than I have to reset it.
> I followed the instruction at:

This normally means you never ran make upgrade-database
and your schema is out of sync with 4.0.

Post the output of desc Users; if you'd like confirmation of that.

-kevin

> " UPGRADING FROM 3.8.8 and earlier - Changes:
> Previous versions of RT used a password hashing scheme which was too
> easy to reverse, which could allow attackers with read access to the RT
> database to possibly compromise users' passwords. Even if RT does no
> password authentication itself, it may still store these weak password
> hashes -- using ExternalAuth does not guarantee that you are not
> vulnerable! To upgrade stored passwords to a stronger hash,
> run: perl etc/upgrade/vulnerable-passwords "
>
> I did that, but it didn't solve the issue.
> Can you give me a hint?
>
> 2) Our system which is fresh installed:
>
> Ubuntu 10.04.4 LTS
>
> Apache Version Apache/2.2.14 (Ubuntu)
> Apache API Version 20051115
>
> PHP Version 5.3.2-1ubuntu4.14
> mysql, Client API version 5.1.61
> RT 4.0.5
>
> Data of the former version were imported in a mysql-database (that
> worked).
>
> When I try to create a new request, I get the error message:
> "Anfrage konnte aufgrund eines internen Fehlers nicht angelegt werden"
> (query couldn't be created because of an internal error).
> The corresponding entry in the access-log is:
> ip.ip.ip.ip - - [18/Apr/2012:08:21:14 +0200] "POST /index.html HTTP/1.1"
> 200 3736
> What's the problem of the system?
>
> Kind regards
>
> George
>
>
>
> Thomas Sibley wrote:
> >
> > Please keep replies on the list.
> >
> > On 04/12/2012 12:19 PM, johnathan.bell@baker.edu wrote:
> >> Thanks. I'm glad to know that it's something much simpler than I
> >> expected. I did read those, but they only mentioned the "standard
> >> database upgrade process" as far as I could see. Further research says
> >> that's probably going to be "rt-setup-database --action upgrade" or
> >> something similar… yes?
> >
> > Yes. The README refers to `make upgrade-database`. You're running
> > Ubuntu packages, so the instructions we write aren't exactly the same as
> > what you'll need to do (they apply to the tarball we ship).
> >
> > The Ubuntu packages don't run the database upgrades for you; they just
> > install the new source.
> >
> >> What about the other parts like secure-passwords, etc… the other random
> >> "little" scripts in etc/upgrade? Should those be run before or after the
> >> rt-setup-database cmd?
> >
> > Most are run after. The docs (docs/UPGRADING*) mention what needs to be
> > run during the middle of the upgrade.
> >
> >
>
> --
> View this message in context: http://old.nabble.com/Upgrading-3.8.4-to-4.0.1---Root-password---tp33676179p33713298.html
> Sent from the Request Tracker - User mailing list archive at Nabble.com.
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal