SSHA Password Generation

Document created by Trevor Fullwood Employee on Apr 1, 2016Last modified by jordan@instructure.com on Aug 14, 2017
Version 4Show Document
  • View in full screen mode

    Official Canvas Document

Canvas + Logo transparent (WHITE)- 300px.png

 

TL;DR

To create SSHA password you'll need to create a SHA1 hash of the password with the salt appended to the string (password + salt). Take this hash and base 64 encode it with the salt appended (SHA1 + salt). Check out the attached examples or an example script in a community repo in Github.

 

The Canvas users CSV file imports allow you to import either plain text user passwords or pre-hashed user passwords. We'll get started with a quick QA.

 

Q: I don't know what a cryptographic hash is, can I still use this?

A: If you're unfamiliar with hashes this workflow is probably not for you. It's slightly complex generating a properly formatted string for Canvas and this document is designed for developers/IT staff at your institution.

 

Q: I never realized I was putting my users in danger. Is this the end of the world?

A: No. SIS import occur over https so data is still encrypted. Hashing passwords just adds an additional layer of security. But if you can implement this, it is preferred to sending plain text passwords.

 

Q: I have CAS (or SAML or LDAP) how does this affect me?

A: It's possible this affects you and your users but chances are it doesn't. This is for users that authenticate via Canvas authentication.

 

Q: Can I use this for users that are already in Canvas?

A: No. Once a user has changed their password in Canvas you cannot update the password via SIS import files.

 

Implementing SSHA Passwords

You'll need to create a SHA1 hash of the password with the salt appended to the string (password + salt). Take this hash and base 64 encode it with the salt appended (SHA1 + salt).

 

For the visual learners I've got a couple examples below, a PHP script and OS X / Ubuntu terminal (sorry, Windows users).

 

OS X / Ubuntu

First generate the SHA1 hash of the password and salt. In this example the password is "password" and the salt is "salt".

 

echo -n passwordsalt | shasum -a 1 | awk '{print $1}'

 

You can do the same in Ubuntu by changing shasum to sha1sum. I'd imagine most other large Linux distros have this by default as well.

 

echo -n passwordsalt | sha1sum | awk '{print $1}'

 

This outputs "c88e9c67041a74e0357befdff93f87dde0904214". So we'll take the hash and base64 encode it with the salt again appended to the string.

 

echo -n 'c88e9c67041a74e0357befdff93f87dde0904214salt' | base64

 

The result is "Yzg4ZTljNjcwNDFhNzRlMDM1N2JlZmRmZjkzZjg3ZGRlMDkwNDIxNHNhbHQ=". Prepend "{SSHA}" to this string and it's ready to send to Canvas. It should look like this when you sent it in the csv file "{SSHA}Yzg4ZTljNjcwNDFhNzRlMDM1N2JlZmRmZjkzZjg3ZGRlMDkwNDIxNHNhbHQ=".

 

PHP

Assign your password and salt variables.

 

$pass = 'password'; $salt = 'salt';

 

Create the SHA1 hash of your password and salt. The password should be added before the salt.

 

$sha_hash = sha1($pass . $salt);

 

Base64 encode the SHA1 hash. Be sure to again add the salt to the end of the string.

 

$encoded_pass = base64_encode($sha_hash . $salt);

 

Prepend "{SSHA}" to the beginning of the hashed and encoded string.

 

$hashed_password = "{SSHA}" . $encoded_pass;

 

You're now ready to send this to Canvas. Add the contents of $hashed_password to the ssha_password column in the users.csv sis import file.

 

 

I've attached a sample CSV file that is ready to upload to Canvas and a sample PHP file to help you get started. I'd also recommend checking out a python script in a community repository on Github.

2 people found this helpful

Attachments

Outcomes