Salted passwords on installation

[hameau]

TL;DR: On installation (any version) the initial login password ignores the password salt set in gsconfig.php. If password salting is required, several additional steps are required.

It is useful to configure/customise the gsconfig.php file locally, before transferring the GS file set to the hosting server ready for installation, especially if editing access is not available on the hosting site, either by shell access or through a control panel.

At present, the installer ignores the password salt setting in gsconfig.php when generating the initial, temporary login password. If a password salt is set, it means that the temporary password will not work without first disabling password salting.

Having disabled password salting and logged in, it is then possible to follow the wiki instructions to enable password salting again.

Would it be possible for the installer to honour the password salt setting, please?

[shawn_a]

It should use GSLOGINSALT just the same, it uses the same passhash function that password resetting and profile saving does.

Are you sure about this ?

I just tested, works fine for me.

[hameau]

Are you sure about this ?

Yup. I just tried again. I have to disable password salt to log in with the temp. password.

I have tried sending a tarball to the server and untarring into the directory from a shell, also ftping the files individually, in case there's some weird ownership thing going on – both the same result.

Health check is all green; site works as expected once I'm in. Let me know if you want any more information. (Your ftp account is still active here if you want to try it yourself.)

I'm on Linux 3.10.33, Apache 2.2.22, PHP 5.5.14 (all custom builds by the host) on OVH shared hosting. Are you testing on a Windows server?

[shawn_a]

Yes it shouldn't matter
(testing with hotfixes branch, barely differs from stable), no plugins

I copy a fresh install.
rename temp.gsconfig.php to gsconfig.php
uncomment GSLOGINSALT
goto admin/
run setup etc.

copy password
click login
logout
paste password, and im in.
I even check the user.xml file and password does not equal sha1(password).

[shawn_a]

Are you not deleting the temp config file?
It is probably overwriting your file everytime

nevermind, I was reading the code wrong, gsconfig does not overwrite if it already exists.
So its some other issue.

[hameau]

Sorry, I should be more precise. This is a bare, clean install into an empty root, so I'm customising temp.gsconfig.php before uploading. All the parameter changes are preserved in gsconfig.php, post-install.

rename temp.gsconfig.php to gsconfig.php
uncomment GSLOGINSALT
goto admin/
run setup etc.

What happens if you set a password salt in temp.gsconfig.php and then install to an empty root? There is no problem upgrading an existing installation as all the user account generating stuff is skipped.

Edit to add:
The timestamp on gsconfig.php is later than the timestamp on /data/users/<user>.xml, if that helps. I'll wager GSLOGINSALT remains undefined during initial account setup.

[shawn_a]

It doesn't work like that
if you want to use a gsconfig you have to put a gsconfig

[hameau]

if you want to use a gsconfig you have to put a gsconfig

O I C. Sorry for my confusion – all clear now.

Mark this as WONTFIX. ;-)

[shawn_a]

This should work just fine if you do it the way you are supposed to.
Add a gsconfig.php before installing

temp.gsconfig is ours not yours

[buitje68]

This should work just fine if you do it the way you are supposed to.
Add a gsconfig.php before installing

temp.gsconfig is ours not yours

Sorry. You're right about that.
It's not the right way of doing it.

I've deleted my posting so others won't make this mistake also..

[shawn_a]

Maybe it can be added to the wiki or something