cancel
Showing results for 
Search instead for 
Did you mean: 

SSHA Password Generation

SSHA Password Generation

    Official Canvas Document

179713_Canvas + Logo transparent (WHITE)- 300px.pngCanvas + Logo transparent (WHITE)- 300px.png

TL;DR

To create SSHA password you'll need to create a SHA1 hash of the password with the salt appended to the string (password + salt). Take this hash and base 64 encode it with the salt appended (SHA1 + salt). Check out the attached examples or an example script in a community repo in Github.

The Canvas users CSV file imports allow you to import either plain text user passwords or pre-hashed user passwords. We'll get started with a quick QA.

Q: I don't know what a cryptographic hash is, can I still use this?

A: If you're unfamiliar with hashes this workflow is probably not for you. It's slightly complex generating a properly formatted string for Canvas and this document is designed for developers/IT staff at your institution.

Q: I never realized I was putting my users in danger. Is this the end of the world?

A: No. SIS import occur over https so data is still encrypted. Hashing passwords just adds an additional layer of security. But if you can implement this, it is preferred to sending plain text passwords.

Q: I have CAS (or SAML or LDAP) how does this affect me?

A: It's possible this affects you and your users but chances are it doesn't. This is for users that authenticate via Canvas authentication.

Q: Can I use this for users that are already in Canvas?

A: No. Once a user has changed their password in Canvas you cannot update the password via SIS import files.

Implementing SSHA Passwords

You'll need to create a SHA1 hash of the password with the salt appended to the string (password + salt). Take this hash and base 64 encode it with the salt appended (SHA1 + salt).

For the visual learners I've got a couple examples below, a PHP script and OS X / Ubuntu terminal (sorry, Windows users).

OS X / Ubuntu

First generate the SHA1 hash of the password and salt. In this example the password is "password" and the salt is "salt".

echo -n passwordsalt | shasum -a 1 | awk '{print $1}'

You can do the same in Ubuntu by changing shasum to sha1sum. I'd imagine most other large Linux distros have this by default as well.

echo -n passwordsalt | sha1sum | awk '{print $1}'

This outputs "c88e9c67041a74e0357befdff93f87dde0904214". So we'll take the hash and base64 encode it with the salt again appended to the string.

echo -n 'c88e9c67041a74e0357befdff93f87dde0904214salt' | base64

The result is "Yzg4ZTljNjcwNDFhNzRlMDM1N2JlZmRmZjkzZjg3ZGRlMDkwNDIxNHNhbHQ=". Prepend "{SSHA}" to this string and it's ready to send to Canvas. It should look like this when you sent it in the csv file "{SSHA}Yzg4ZTljNjcwNDFhNzRlMDM1N2JlZmRmZjkzZjg3ZGRlMDkwNDIxNHNhbHQ=".

PHP

Assign your password and salt variables.

$pass = 'password'; $salt = 'salt';

Create the SHA1 hash of your password and salt. The password should be added before the salt.

$sha_hash = sha1($pass . $salt);

Base64 encode the SHA1 hash. Be sure to again add the salt to the end of the string.

$encoded_pass = base64_encode($sha_hash . $salt);

Prepend "{SSHA}" to the beginning of the hashed and encoded string.

$hashed_password = "{SSHA}" . $encoded_pass;

You're now ready to send this to Canvas. Add the contents of $hashed_password to the ssha_password column in the users.csv sis import file.

I've attached a sample CSV file that is ready to upload to Canvas and a sample PHP file to help you get started. I'd also recommend checking out a python script in a community repository on Github.

Attachments


If you have a suggestion to improve this guide, or if you want to recommend corrections, please share your feedback


Comments

The format described here is not compatible with the SSHA format used elsewhere (see for example OpenLDAP Faq-O-Matic: What are {SHA} and {SSHA} passwords and how do I generate them?). In the other SSHA, the output of the SHA-1 hash function is fed directly to the base64 encoder as 20 raw bytes (followed by the salt). In Canvas SSHA, the output of the SHA-1 hash function is encoded as an ASCII string of hex digits (making it 40 bytes long) before appending the salt.

When I read the API documentation (SIS Import Format Documentation - Canvas LMS REST API Documentation) I assumed that SSHA meant the "normal" one and I couldn't figure out why it wasn't working until I found this page. The API doc should be updated to point here, and explicitly mention that SSHA doesn't mean SSHA-as-you-know-it-from-OpenLDAP, even though it looks deceptively similar, with the same "{SSHA}" prefix.

P.S. SHA-1 in 2016? Really? Not scrypt, bcrypt, or PBKDF2?

I made the same mistake, my head still hurts from beating it against a wall : )

If anyone is using .NET, I've posted here with source code and a sample user import file: