File based authentication fails if bcrypt passwords are prefixed with '$2b' instead of '$2y' · Issue #23648 · trinodb/trino (original) (raw)
I discovered an issue where we are managing our password.db file for Trino users via Ansible and the python passlib library it uses to generate hashed bcrypt passwords uses $2b$
as a prefix instead of $2y$
.
If any passwords in the passwords.db file are prefixed with $2b$
, all passwords fail. It does not have to be the specific login attempted. I.e, if I have "usera" in the passwords.db file with a working login prefixed with $2y$
and then add "userb" to the file with a password prefixed with "$2b$
, "usera" (and every other user in the file) will no longer be able to log in.
We have worked around this by replacing all $2b$
prefixes in the file with $2y$
via regex after the task using the Ansible htpasswd module is done but considering that that $2b$
algorithm prefix has been in place since 2014 and functionally equivalent to $2y$
, it seems that it should be supported by now.
It seems like this might be a simple one line change here to support (plus additional test cases) although I'm not too familiar with the code base.