Where is sugarCRM hashing the password from the login form?

RE: Where is sugarCRM hashing the password from the login form?

Nagy Zoltan — Mon, 14 Feb 2022 15:03:12 GMT

Not a workable solution. Basically our identity server does not support SAML (yet) so this is a way to mimic single sign on. The user is created in our main product, called workspace, with a password and all and we want to move it into sugarCRM with the same credentials. This has worked on 77 and 79 sugar version, but we want to use rest instead of SOAP (the original code was using SOAP). Sugar changed the way it hashes from 79 to 10.0.4, so we have to adapt the hashing method on workspace. Hence my question

RE: Where is sugarCRM hashing the password from the login form?

Harald Kuske — Mon, 14 Feb 2022 14:46:27 GMT

With the REST API you can create users with parameter settings like:

$url = $base_url . "/Users";
$user_parameter = array(
"user_name" => "user6",
"user_hash" => 'sillypassword',
"system_generated_password" => false,
"pwd_last_changed" => "",
"authenticate_id" => "",
"sugar_login" => true,
"picture" => "",
"first_name" => "test6",
"last_name" => "test6",

The created user user6 has the password 'sillypassword' after the POST call. I just tested that in a 11.2 instance.

But from a security point of view I would never set a default password or a list of provided passwords.

Just provide a valid email address for each user and enable the lost password function. So each user can keep his password secret.

RE: Where is sugarCRM hashing the password from the login form?

Thomas Rychlik — Mon, 07 Feb 2022 13:50:08 GMT

check SugarCRM Folder then, /modules/Users/User.php

Here you can search for password or hash.

Hash Library is included at top: use \Sugarcrm\Sugarcrm\Security\Password\Hash

You can search for "public function rehashPassword($password)".