Hashing the password

Ahmad4 years ago

Long time ago, this post was made, but it is no longer valid.

I wonder if anyone have updated that version.

in case that someone needs to create an account in traccar users table:

$name = "the_name";
$email = "the_email";
$password = "the_password";
$string = mcrypt_create_iv(24, MCRYPT_DEV_URANDOM);
$salt = strtoupper(bin2hex($string));
$hash = hash_pbkdf2("sha1", $password, $string, 1000, 24, true);
$hash = strtoupper(bin2hex($hash));

finally execute the following query:

INSERT INTO users (name, email, hashedpassword, salt, readonly, admin, map, language, distanceunit, speedunit, latitude, longitude, zoom) VALUES ('$name', '$email', '$hash', '$salt', 0, 0, 'osm', 'en', 'km', 'kmh', 0, 0, 0);

https://www.traccar.org/forums/topic/login-php-hash-and-salt/#post-5191

Zsolt2 years ago

Starting with openssl v3.0.0 one can generate the Traccar password hash with the openssl CLI as well.

Example for linux users:

# generate a random salt in hexadecimal format
salt="$(dd if=/dev/urandom bs=24 count=1 status=none | xxd -p)"

# generate the password hash
openssl kdf -keylen 24 -kdfopt digest:sha1 -kdfopt pass:put_the_password_here -kdfopt hexsalt:$salt -kdfopt iter:1000 pbkdf2

Since openssl v3.0.0+ is quite new (at the time I write this comment), not too many linux distributions have it installed by default. Usually people have OpenSSL v1.1.1+.
One can get an OpenSSL v3.0.0 CLI from the conan package manager.
If you already have python and pip, then it's quite easy:

pip install conan
mkdir openssl_workdir
cd openssl_workdir 
conan install openssl/3.0.1@ -r=conancenter -g deploy
ls -al openssl/bin/openssl

And don't forget to reference this new openssl CLI by specifying the proper path for it:

./openssl/bin/openssl kdf -keylen 24 -kdfopt digest:sha1 -kdfopt pass:put_the_password_here -kdfopt hexsalt:$salt -kdfopt iter:1000 pbkdf2

Anton Tananaev2 years ago

This is cool, thanks for sharing.

Zsolt2 years ago

If somebody uses the embedded H2 database with Traccar (as I do since I only use it for myself, i.e. a single user with a single device, which means a minuscule load to handle), then here's a complete example on how to update a user's password from a shell (or shell script):

# generate a random salt
salt="$(dd if=/dev/urandom bs=24 count=1 status=none | xxd -p)"

# generate the password hash from the contents of the "password" variable (which you've to set yourself to the new cleartext password)
hash="$(openssl-3.0.1 kdf -keylen 24 -binary -kdfopt digest:sha1 -kdfopt "pass:$password" -kdfopt "hexsalt:$salt" -kdfopt iter:1000 pbkdf2 | xxd -p)"

# uncomment the following line to print out both the salt and the password hash (if you want to)
#echo -e "salt: $salt\nhash: $hash"

# set the value of "tchome" to the path of the Traccar directory
tchome="/opt/traccar"

# and finally update the password (and salt) of the default "admin" user
java -cp "$tchome/lib/h2-"*".jar" org.h2.tools.Shell -url "jdbc:h2:$tchome/data/database" -user sa -sql "update tc_users set hashedpassword='$hash', salt='$salt' where email = 'admin';"

Remember to stop the Traccar service before you run this or you'll get a "file is locked" exception. The H2 client in Traccar locks the database to ensure its consistency/health since H2 is not designed for being written to in parallel by multiple processes.