[Bug]: passwordsalt migration missing

[feanor12]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• Nextcloud Server is running on 64bit capable CPU, PHP and OS.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

Upgrading to 25 with a config.php that has no or an empty passwordsalt results in an error message.
There is no clear solution on how to introduce a passwordsalt setting to an older setup.

Adiddional description on discord: https://help.nextcloud.com/t/passwordsalt-missing-from-config-php/148081/2

Steps to reproduce

1.install 24
2.use a config.php without a passwordsalt
3.upgrade to 25

Expected behavior

A warning before the upgrade or migration/guide to use salted password hashes.

Possible questions:
Does setting passwordsalt make passwords unusable?
What must be done to migrate this setting?

Installation method

Community Docker image

Operating system

Other

PHP engine version

PHP 8.1

Web server

Nginx

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Updated to a major version (ex. 22.2.3 to 23.0.1)

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "overwrite.cli.url": "https:\/\/nextcloud.domain.at",
        "enable_previews": false,
        "overwriteprotocol": "https",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "25.0.0.18",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "theme": "",
        "forcessl": true,
        "trusted_domains": [
            "owncloud.domain.at",
            "nextcloud.domain.at"
        ],
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "overwritehost": "nextcloud.domain.at",
        "share_folder": "\/Shared",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "loglevel": 0,
        "updater.release.channel": "stable",
        "htaccess.RewriteBase": "\/",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "filelocking.enabled": true,
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379,
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "mail_smtpmode": "smtp",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "25",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "default_phone_region": "AT",
        "mysql.utf8mb4": true
    }
}

List of activated Apps

Enabled:
  - activity: 2.17.0
  - admin_audit: 1.15.0
  - calendar: 4.0.1
  - circles: 25.0.0
  - cloud_federation_api: 1.8.0
  - comments: 1.15.0
  - contacts: 5.0.1
  - contactsinteraction: 1.6.0
  - dashboard: 7.5.0
  - dav: 1.24.0
  - deck: 1.8.0
  - federatedfilesharing: 1.15.0
  - federation: 1.15.0
  - files: 1.20.1
  - files_external: 1.17.0
  - files_pdfviewer: 2.6.0
  - files_rightclick: 1.4.0
  - files_sharing: 1.17.0
  - files_trashbin: 1.15.0
  - files_versions: 1.18.0
  - firstrunwizard: 2.14.0
  - logreader: 2.10.0
  - lookup_server_connector: 1.13.0
  - nextcloud_announcements: 1.14.0
  - notes: 4.6.0
  - notifications: 2.13.1
  - oauth2: 1.13.0
  - password_policy: 1.15.0
  - photos: 2.0.0
  - privacy: 1.9.0
  - provisioning_api: 1.15.0
  - recommendations: 1.4.0
  - related_resources: 1.0.1
  - serverinfo: 1.15.0
  - settings: 1.7.0
  - sharebymail: 1.15.0
  - spreed: 15.0.0
  - support: 1.8.0
  - survey_client: 1.13.0
  - systemtags: 1.15.0
  - tasks: 0.14.5
  - text: 3.6.0
  - theming: 2.0.0
  - twofactor_backupcodes: 1.14.0
  - updatenotification: 1.15.0
  - user_status: 1.5.0
  - viewer: 1.9.0
  - weather_status: 1.5.0
  - workflowengine: 2.7.0
Disabled:
  - bruteforcesettings: 2.4.0
  - encryption
  - files_texteditor: 2.14.0
  - suspicious_login
  - twofactor_totp
  - user_ldap

Nextcloud Signing status

No response

Nextcloud Logs

No response

Additional info

No response

[llucps]

It happened to me too after upgrading to Nextcloud 25

[szaimen]

cc @juliushaertl @CarlSchwan

[rakekniven]

Same here after upgrading from v24.0.6 to v25.0.0

My original installation is very old and based on OC3. Did every update (major or minor) since then.
Just checked my backups and there has been no passwordsalt variable set in config.php at all.

[rakekniven]

I just added the value to the config.php by using
php /var/www/nextcloud/occ config:system:set passwordsalt --type=string --value=''

But still no change.

[CarlSchwan]

try:

 php /var/www/nextcloud/occ config:system:set passwordsalt --type=string --value='ReplaceThisTest'

the passwordsalt needs to be not empty

[rakekniven]

@CarlSchwan Ok, but setting a salt on an existing installation with users will not prevent users to login?

Minutes ago I tried https://help.nextcloud.com/t/passwordsalt-missing-from-config-php/148081/2 and for sure this works as a workaround.

[FrenchHope]

Oddly the patch doesn't work on my instance...

edit : it works. Cache problem.

But I can't confirm actions like updating apps, the button is greyed out (maybe a browser problem)

[feanor12]

What patch did you apply?

• Set a non empty passwordsalt
• Remove config check for passwordsalt

[FrenchHope]

I removed config check for passwordsalt as described here :

https://help.nextcloud.com/t/passwordsalt-missing-from-config-php/148081/2

(not a bug in my browser as I thought)

edit : it's a display bug, pressing enter works ! #34828

[feanor12]

As far as I understand hashes, changing the salt would invalidate them.
Therefore, to migrate to a new salt all hashes must be updated and because this would require the actually passwords this has to be triggered by the user.

A procedure like this might work, but I know very little about the inner workings of nextcloud:

• Admin forces a password hash update on login
• User uses the old/empty salt for the next login
• The entered password value is used to generate a new hash using the new salt
• To allow this to work for more than one user the migration has to be tracked for all users

However, I don't know how to trigger such a password change.

Furthermore, it could be that the hashes are also used for other things that are not user passwords, making migration more complicated.

[llucps]

Sorry but I'm still confused what the outcome of all this is,

As far as I know I've never had passwordsalt in my config file and my Nextcloud installation is as old as the first Nextcloud version releases in 2015-2016?

It would be great that someone could point out what needs to be done.. for the moment I just removed the passwordsalt from:

foreach (['secret', 'instanceid', 'passwordsalt'] as $requiredConfig) { if ($config->getValue($requiredConfig, '') === '' && !\OC::$CLI && $config->getValue('installed', false)) { $errors[] = [

But messing with the code it's not obviously a solution.

Thanks,

[rakekniven]

My understanding so far:
Old installations does not have a passwordsalt in their config.
New ones have one.

NC v25.0.0 is checking for it and here the trouble started for old installations.
Workaround is to modify code.

My question already added to a previous post is "Will setting a salt on an existing installation with users prevent these users to login?"
If so it needs a solution.