cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
valium
Calcite | Level 5 valium
Calcite | Level 5
Go to Solution

Internal user password hashing

Posted 02-10-2015 01:38 PM (1831 views)

Hi guys,

is anybody able to tell me the algorithm SAS uses to hash passwords for internal users?

Here is the picture…

I need to create a tool for automatic user creation. I would use SAS MDU macros, however the users I have to create do need an internal account. This is why I went for the java way: I do create a person, I do create the internalUser, and I finally bind them:

http://support.sas.com/rnd/javadoc/94/metadata/com/sas/metadata/remote/InternalLogin.html

However, internalUser needs a passwordHash set. Obviously , I usually have salt and password, and this is why I’d need to know how to join them in order to get the salted hash. Javadoc doesn’t seem to answer this question.

By checking the metadata through metabrowse facility, it really really looks similar to a base 64 encoding. I already tried base64(salt+hash) and many similar combinations, but it didn’t seem to work. I tried md5 as well, but I’m just guessing. Any clues?

Thank you all

Mike

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions
valium
Calcite | Level 5 valium
Calcite | Level 5

Re: Internal user password hashing

Posted 02-26-2015 01:35 PM (2439 views)  |   In reply to valium

I’d like to say thank you to SAS Italian Support who gave the correct answer.

As long as we do not know the way SAS encrypts passwords, we can use a different interface to do that.

Here you can find the documentation:

http://support.sas.com/documentation/cdl/en/omaref/63063/PDF/default/omaref.pdf

And here it is some sample code:


MdFactoryImpl _factory = new MdFactoryImpl(false);

MdObjectStore objectStore = _factory.createObjectStore();

Person person = (Person) _factory.createComplexMetadataObject(objectStore, "mike", MetadataObjects.PERSON, shortReposID);

/* Won’t work, for we do not know the way SAS will encrypt password */

InternalLogin internalLogin = (InternalLogin) _factory.createComplexMetadataObject(objectStore, "InternalLogin_Object", MetadataObjects.INTERNALLOGIN, shortReposID);

internalLogin.setSalt(salt);

internalLogin.setPasswordHash("?????????????");

person.setInternalLoginInfo(internalLogin);

/*   */

/* This will work instead */

MdOMRConnection connection = _factory.getConnection();

ISecurity_1_1 is = connection.MakeISecurityConnection();

is.SetInternalPassword("mike", "SASpw1");

/*   */


person.updateMetadataAll();

Thank you all.

View solution in original post

4 REPLIES 4
jakarman
Barite | Level 11 jakarman
Barite | Level 11

Re: Internal user password hashing

Posted 02-10-2015 02:41 PM (1745 views)  |   In reply to valium

looks to be a part of the metadata model (DATA) SAS(R) 9.2 Metadata Model: Reference (InternalLogin )

---->-- ja karman --<-----
0 Likes
valium
Calcite | Level 5 valium
Calcite | Level 5

Re: Internal user password hashing

Posted 02-10-2015 04:22 PM (1745 views)  |   In reply to jakarman

Exactly Jaap,

both salt and passwordHash are attributes of the internalLogin metadata object.

However, when you create a new user, you usually have a name and a password, so you have to calculate the hash.

I assume there is some kind of java utility method to do that. Knowing the procedure would do as well.

If not, there is no way you can create an internalLogin from scratch.

0 Likes
jakarman
Barite | Level 11 jakarman
Barite | Level 11

Re: Internal user password hashing

Posted 02-10-2015 09:18 PM (1745 views)  |   In reply to valium

The hash is generated with the salt and password. To be able to generate the same hash the salt is needed. 
So the logic would be generate salt- store salt generate hash with password store hash.

Going in the reverse mode you would get the salt   get (trial/input) password   verify hash.

As external logins must be decrypted there is a method to get the original password for those.

Getting in between the external connection in the internal process it should be rather easy to retrieve those.

Until now I have seen them being mixed up within the metadata structure. It could be a way to hack internal login by that way. 

---->-- ja karman --<-----
0 Likes
valium
Calcite | Level 5 valium
Calcite | Level 5

Re: Internal user password hashing

Posted 02-26-2015 01:35 PM (2440 views)  |   In reply to valium

I’d like to say thank you to SAS Italian Support who gave the correct answer.

As long as we do not know the way SAS encrypts passwords, we can use a different interface to do that.

Here you can find the documentation:

http://support.sas.com/documentation/cdl/en/omaref/63063/PDF/default/omaref.pdf

And here it is some sample code:


MdFactoryImpl _factory = new MdFactoryImpl(false);

MdObjectStore objectStore = _factory.createObjectStore();

Person person = (Person) _factory.createComplexMetadataObject(objectStore, "mike", MetadataObjects.PERSON, shortReposID);

/* Won’t work, for we do not know the way SAS will encrypt password */

InternalLogin internalLogin = (InternalLogin) _factory.createComplexMetadataObject(objectStore, "InternalLogin_Object", MetadataObjects.INTERNALLOGIN, shortReposID);

internalLogin.setSalt(salt);

internalLogin.setPasswordHash("?????????????");

person.setInternalLoginInfo(internalLogin);

/*   */

/* This will work instead */

MdOMRConnection connection = _factory.getConnection();

ISecurity_1_1 is = connection.MakeISecurityConnection();

is.SetInternalPassword("mike", "SASpw1");

/*   */


person.updateMetadataAll();

Thank you all.

sas-innovate-2024.png

Don't miss out on SAS Innovate - Register now for the FREE Livestream!

Can't make it to Vegas? No problem! Watch our general sessions LIVE or on-demand starting April 17th. Hear from SAS execs, best-selling author Adam Grant, Hot Ones host Sean Evans, top tech journalist Kara Swisher, AI expert Cassie Kozyrkov, and the mind-blowing dance crew iLuminate! Plus, get access to over 20 breakout sessions.

 

Register now!

How to Concatenate Values

Learn how use the CAT functions in SAS to join values from multiple variables into a single value.

Watch How to Concatenate Values on YouTube

Find more tutorials on the SAS Users YouTube channel.

Click image to register for webinarClick image to register for webinar

Classroom Training Available!

Select SAS Training centers are offering in-person courses. View upcoming courses for:

View all other training opportunities.

Discussion stats
  • 4 replies
  • ‎02-10-2015 01:38 PM
  • 1832 views
  • 1 like
  • 2 in conversation