Nextcloud 18 + PHP 7.4 upgrade means you may have to reset your passwords

Nextcloud 18 + PHP 7.4 upgrade means you may have to reset your passwords

Update: The issue was resolved when I installed an additional package, php74-php-sodium.x86_64. This apparently is the replacement for php72-php-pecl-libsodium2.x86_64 which provided the Argon2i hash functionality previously.

If you’ve been following my blog, you may recall I previously attempted to upgrade my primary server (host for this and most of my other sites) to PHP 7.3. As it turns out, I did not end-up completing that process and my server continued using PHP 7.2 without much issue, thankfully.

That brings us to this morning where I had enough distraction-free moments to feel motivated to try to upgrade all the way through to PHP 7.4.1. Hooray! \o/

Because I run CentOS 7 and I chose, a long time ago, to run the updated version of PHP via Software Collections, I decided keep my upgrade complexities down and continue down that same path. For my PHP binaries, I run to the awesome and reliable Remi repo I’ve been using for years. Sometime between this and my last upgrade, he’s helpfully added a wizard/guide to walk you through the process for most scenarios. I’ve already used this several times…

Notices he still needs some hosting budget for 2020….

Donates 50 Euro (around $55 at this time)…

Asks in if I can also help mirroring…

With the guide, I was able to download the right packages. Then, a few config changes for Apache HTTP server pointing the config files and right module files (yes, sadly, I’m still using mod_php, so I plan t chronicle the move to FastCGI at a future date), and my server is up-and-running.

So, I started clicking through and loading the different PHP-powered sites on my server, and I discovered everything, mostly, was working just fine – custom PHP sites were fine and so were WordPress-based ones.

When I got to my personal Nextcloud instance, however, it simply output a small message indicating that PHP 7.4.1 was not supported. Hmm…so I checked my version, and I was indeed two versions behind – I was running 16 and the latest was 18. After a little fiasco trying to upgrade two major verisons at once (spoiler: that’s not allowed), I got Nextcloud 18 installed, upgraded my DB, and I was ready to login!

Except, the password for my account wasn’t working…

I tried again and again, and I also tried logging-in from the Nextcloud app on my phone. It first reported my server was still in maintenance mode (no it wasn’t!) and then it signaled I had to reconnect my device. I realized something was a bit off, so I checked the DB first, and everything seemed fine – the user accounts were there, and nothing seemed odd about the hash.

So, I attempted a manual password reset from the occ command line tool for Nextcloud. I tried to login one more time, and after quite a considerable time, I was successful!

At this point, I became curious, and I examine the users table again, and not only was the password hash different (that’s to be expected), it was much shorter…and more importantly, a different format entirely!

While the older password hashes were prefixed with something like 2|$argon2i, my newly reset one was prefixed simply with 1|$2. I understand that Argon is a relatively newer password hashing tool and so I took this as some kind of a regression. The fact that the final password hash was also significantly shorter also concerned me somewhat, but that was just more of a visual indicator that something changed than anything else.

I saw that PHP has supported Argon hashing since 7.2, but a one of PHP 7.4’s backwards incompatible changes may be the culprit.

PASSWORD_ARGON2I was int 2; now is string ‘argon2i’ PASSWORD_ARGON2ID was int 3; now is string ‘argon2id’

https://www.php.net/manual/en/migration74.incompatible.php#migration74.incompatible.core.password-algorithm-constants

Having said all of that, I did not exhaustively look into this, but I found the side effect interesting. I do know that my version of PHP 7.4 no longer includes libsodium, so perhaps the builds by Remi do not have support for Argon? If anyone knows more about this, feel free to share. I’d love to provide the right information to the right people on how to solve this issue.

Leave a Reply

Your email address will not be published. Required fields are marked *