Inspiring

Answered

Using the adminAPI

Forum|Forum|13 years ago
November 13, 2012
1 reply
2165 views

I'm new to this, but I wanted to use the CF adminAPI, so I wrote:

<cfset result = adminObj.login(

adminUserID = 'admin',

adminPassword = 'HASHED_ADMIN_PASSWORD',

isHashed = true

)>

And it reports back: false

I don't want to supply the unhashed value in the code itself, and I used the BIF hash() to hash the actual password (which is supplied in the above as 'HASHED_ADMIN_PASSWORD') Can anyone help point out to me what I'm doing wrong?

This topic has been closed for replies.

Correct answer Aegis_Kleais

*** UPDATE ***

With some help from a co-worker, it seems the hash that CF expects is for algorithm SHA1. (Not even sure you can custom specify a different algo)

We did a dump of:

hash( 'admin_password_here', 'SHA1' )

and then used that value in the login() call, and it returned TRUE.

I'm going to look into seeing if there's a way to change CF 10's default algo to SHA256.

A

Adam Cameron.

Inspiring

Have you read the docs for Using the Administrator API? That describes how you use it.

I'm not completely familiar with it, but I see no reference to passing a hashed pwd (although that'd be a good idea if it was supported), it all seems to demonstrating using a clear-text password. I can find no indication of using a hashed password would work (via Google). What makes you think that you can? Did you read somethings somewhere?

--
Adam

A

Aegis_KleaisAuthor

Inspiring

I used introspection on the administrator.cfc and it showed an isHashed attribute for the login() method.

I assumed, since it didn't allow me to specify the algo, I had to use a basic MD5 Hash() on it, and that's what I specified (though I prefer SHA-256). Whatever solution I employ, I'd feel safer if I didn't pass the password in an unencrypted manner.

Here is the text it shows:

remote boolean login ( required adminPassword, adminUserId="[runtime expression]", rdsPasswordAllowed="false", isHashed="false" )

Authenticate the user for the length of the request. Required before accessing other methods of the Administrator API. Returns true if login successful.

Output: suppressed

Parameters:

adminPassword: any, required, adminPassword - ColdFusion Administrator password.

adminUserId: any, optional, adminUserId - ColdFusion Administrator User Id

rdsPasswordAllowed: any, optional, rdsPasswordAllowed - Allow the user to login and access the adminapi with the RDS password.

isHashed: any, optional, isHashed - Set it to true if the password sent is already hashed once.

A

Adam Cameron.

Inspiring

*** UPDATE ***

With some help from a co-worker, it seems the hash that CF expects is for algorithm SHA1. (Not even sure you can custom specify a different algo)

We did a dump of:

hash( 'admin_password_here', 'SHA1' )

and then used that value in the login() call, and it returned TRUE.

I'm going to look into seeing if there's a way to change CF 10's default algo to SHA256.

Well done: you got there faster than I did (I'd only just coerced the thing to let me log in at all...).

It might be good if you tag your questions with the CF version you're using, because I was giving you CF9 advice, when you're clearly on CF10 (as this isHashed thing is new to CF10). It wouldn't have expedited me giving you any help in this instance, but it would have saved me some time.

I had a look around to see if I could see a way of telling CF to use a different algorithm, but drew a blank. That said, it's just the CFAdmin API... SHA-1 should be fine. Bear in mind you can set up different users for different functionality, so you can have a different login for just the API, so if the password hash does get a) compromised; b) cracked, the exposure is minimal.

If this is in code that faces outwards (ie: to the public) I would make sure the user you're using has the absolute minimum permissions to the API that are necessary to do its job. EG: if you only need to read mail config settings, limit the user to only have access to those. That's probably more useful than worrying about which hashing algorithm is used on the password.

--

Adam

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded