topic Re: Internal user password hashing in SAS Programming

Internal user password hashing

valium — Tue, 10 Feb 2015 18:38:47 GMT

Hi guys,

is anybody able to tell me the algorithm SAS uses to hash passwords for internal users?

Here is the picture…

I need to create a tool for automatic user creation. I would use SAS MDU macros, however the users I have to create do need an internal account. This is why I went for the java way: I do create a person, I do create the internalUser, and I finally bind them:

http://support.sas.com/rnd/javadoc/94/metadata/com/sas/metadata/remote/InternalLogin.html

However, internalUser needs a passwordHash set. Obviously , I usually have salt and password, and this is why I’d need to know how to join them in order to get the salted hash. Javadoc doesn’t seem to answer this question.

By checking the metadata through metabrowse facility, it really really looks similar to a base 64 encoding. I already tried base64(salt+hash) and many similar combinations, but it didn’t seem to work. I tried md5 as well, but I’m just guessing. Any clues?

Thank you all

Mike

Re: Internal user password hashing

jakarman — Tue, 10 Feb 2015 19:41:44 GMT

looks to be a part of the metadata model (DATA) SAS(R) 9.2 Metadata Model: Reference (InternalLogin )

Re: Internal user password hashing

valium — Tue, 10 Feb 2015 21:22:57 GMT

Exactly Jaap,

both salt and passwordHash are attributes of the internalLogin metadata object.

However, when you create a new user, you usually have a name and a password, so you have to calculate the hash.

I assume there is some kind of java utility method to do that. Knowing the procedure would do as well.

If not, there is no way you can create an internalLogin from scratch.

Re: Internal user password hashing

jakarman — Wed, 11 Feb 2015 02:18:37 GMT

The hash is generated with the salt and password. To be able to generate the same hash the salt is needed.
So the logic would be generate salt- store salt generate hash with password store hash.

Going in the reverse mode you would get the salt get (trial/input) password verify hash.

As external logins must be decrypted there is a method to get the original password for those.

Getting in between the external connection in the internal process it should be rather easy to retrieve those.

Until now I have seen them being mixed up within the metadata structure. It could be a way to hack internal login by that way.

Re: Internal user password hashing

valium — Thu, 26 Feb 2015 18:35:27 GMT

I’d like to say thank you to SAS Italian Support who gave the correct answer.

As long as we do not know the way SAS encrypts passwords, we can use a different interface to do that.

Here you can find the documentation:

http://support.sas.com/documentation/cdl/en/omaref/63063/PDF/default/omaref.pdf

And here it is some sample code:

MdFactoryImpl _factory = new MdFactoryImpl(false);

MdObjectStore objectStore = _factory.createObjectStore();

Person person = (Person) _factory.createComplexMetadataObject(objectStore, "mike", MetadataObjects.PERSON, shortReposID);

/* Won’t work, for we do not know the way SAS will encrypt password */

InternalLogin internalLogin = (InternalLogin) _factory.createComplexMetadataObject(objectStore, "InternalLogin_Object", MetadataObjects.INTERNALLOGIN, shortReposID);

internalLogin.setSalt(salt);

internalLogin.setPasswordHash("?????????????");

person.setInternalLoginInfo(internalLogin);

/* */

/* This will work instead */

MdOMRConnection connection = _factory.getConnection();

ISecurity_1_1 is = connection.MakeISecurityConnection();

is.SetInternalPassword("mike", "SASpw1");

/* */

person.updateMetadataAll();

Thank you all.