[cheesegrits]

I'm importing SMF 1.1.4 to vB 3.7b5, and it seems that SMF's password hashing has changed since this mod was released. It now uses sha1() instead of md5_hmac().

So I had a go at it, and got vB authentication working without having to edit any files (except one line in config.php). All it needs is:

1) In your ./includes/config.php, insert this line:

PHP Code:

define('DISABLE_PASSWORD_CLEARING', 1); 


NOTE - this forces vB to send a cleartext password from the browser to the server when you login. This is a potential security risk, albeit a very unlikely one to be exploited - if anyone has compromised your systems to the point that they can pick this information off the wire, you have bigger problems than exposing some passwords! But regardless, you should really treat this as a transitional hack, and give your users something like a month to change their passwords, before you disable this stuff.

2) Create a plugin on the 'login_failure_verify_password' hook, and paste this PHP into it:

PHP Code:

if ($vbulletin->GPC['vb_login_password'])
{
    $hack_username = preg_replace('#^imported_#','',$vbulletin->GPC['vb_login_username']);
    $sha_passwd = sha1(strtolower($hack_username) . unhtmlspecialchars(stripslashes($vbulletin->GPC['vb_login_password'])));
    $vb_passwd = md5($sha_passwd . $vbulletin->userinfo['salt']);
    if ($vbulletin->userinfo['password'] == $vb_passwd)
    {
        unset($return_value);
    }
} 


And that's it.

The way this works is, if the regular vB password verification fails (using the md5 version of the password, which will fail if they still have their impex'ed SMF password set), the plugin is called. Because we set DISABLE_PASSWORD_CLEARING in config.php, vB is now including the clear text password from the browser during login. So the plugin can take that cleartext password, and hash it using SMF's method, and see if that matches the stored hash. If it does, then they have a valid SMF style password.

Note that the code above also works for any usernames which have been changed from 'joeblow' to 'imported_joeblow' due to username conflicts on the impex

Although I'm using vB 3.7b5, I think this method should work for 3.6 as well. I have no idea which versions of SMF this will work for - all I know is, it works for the SMF v1.1.4 users I'm importing.

I may add automatic changing of the password to a native vB password the first time an SMF user logs in, and release this as a mod. But if not ... maybe the above will help someone out.

-- hugh