New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error: The secret passphrase in configuration (blowfish_secret) is too short. #12485

Closed
bobhairgrove opened this Issue Aug 20, 2016 · 12 comments

Comments

Projects
None yet
6 participants
@bobhairgrove

bobhairgrove commented Aug 20, 2016

I am on Ubuntu 16.04 with MySQL 5.7.13 and just upgraded to phpMyAdmin version 4.6.4. This error appears every time I log in to phpMyAdmin; in 4.6.3 it wasn't there. But otherwise, I can log in, and everything else seems to work.

I verified that my blowfish_secret has 24 characters. The file blowfish_secret.inc.php is located at /var/lib/phpmyadmin and belongs to group www-data. Permissions are properly set, ls -al shows:

-rw-r-----  1 root     www-data   60 Mar 28 20:45 blowfish_secret.inc.php
-rw-r-----  1 root     www-data    0 Mar 28 20:45 config.inc.php

Is there something in config.inc.php (located in /etc/phpmyadmin), or perhaps in the empty file shown in the above listing, that I should add? I do not have $cfg['blowfish_secret'] in the config.inc.php file.

If the secret needs to be longer, there should be some documentation about it somewhere... as a suggestion, maybe include a link to that next to the error message?

(EDIT: I wrapped the blowfish_secret in SHA1() which returns a 40-character hash, and the error disappeared, so I suppose 24 characters was just not long enough. But where is this change documented?)

@o6asan

This comment has been minimized.

Show comment
Hide comment
@o6asan

o6asan Aug 23, 2016

If the secret needs to be longer, there should be some documentation about it somewhere

I had the same error. I found the suggestion on 4.6.4 config.sample.inc.php and at $cfg['blowfish_secret'] section on Docs, which says 'The secret should be 32 characters long.'

o6asan commented Aug 23, 2016

If the secret needs to be longer, there should be some documentation about it somewhere

I had the same error. I found the suggestion on 4.6.4 config.sample.inc.php and at $cfg['blowfish_secret'] section on Docs, which says 'The secret should be 32 characters long.'

@devenbansod

This comment has been minimized.

Show comment
Hide comment
@devenbansod

devenbansod Aug 23, 2016

Member

Thanks @o6asan for the link to documentation. Indeed, the change was made recently and was added to the documentation.

@bobhairgrove if you are satisfied, you can close this issue now.

Member

devenbansod commented Aug 23, 2016

Thanks @o6asan for the link to documentation. Indeed, the change was made recently and was added to the documentation.

@bobhairgrove if you are satisfied, you can close this issue now.

@ibennetch

This comment has been minimized.

Show comment
Hide comment
@ibennetch

ibennetch Aug 23, 2016

Member

There is a problem though, when there is no blowfish_secret set in config.inc.php, the one that is automatically generated is too short.

Member

ibennetch commented Aug 23, 2016

There is a problem though, when there is no blowfish_secret set in config.inc.php, the one that is automatically generated is too short.

@bobhairgrove

This comment has been minimized.

Show comment
Hide comment
@bobhairgrove

bobhairgrove Aug 23, 2016

Indeed ... perhaps one could just wrap the auto-generated secret in SHA1() or some other hash function (or do that and truncate the result to 32 characters, or leave it at 40 characters)?

bobhairgrove commented Aug 23, 2016

Indeed ... perhaps one could just wrap the auto-generated secret in SHA1() or some other hash function (or do that and truncate the result to 32 characters, or leave it at 40 characters)?

@nijel nijel added bug and removed question labels Aug 24, 2016

@nijel nijel self-assigned this Aug 24, 2016

@nijel nijel added this to the 4.6.5 milestone Aug 24, 2016

@nijel

This comment has been minimized.

Show comment
Hide comment
@nijel

nijel Aug 24, 2016

Member

@ibennetch It's not too short, just the warning if it's too short is shown :-).

Member

nijel commented Aug 24, 2016

@ibennetch It's not too short, just the warning if it's too short is shown :-).

@nijel nijel closed this in 6879923 Aug 24, 2016

ibennetch pushed a commit that referenced this issue Nov 25, 2016

Do not show warning about short blowfish_secret if none is set
With empty blowfish_secret user would always get both warnings...

Fixes #12485

Signed-off-by: Michal Čihař <michal@cihar.com>
@Sitronik

This comment has been minimized.

Show comment
Hide comment
@Sitronik

Sitronik Jan 19, 2017

I had some problem with phpmyadmin, when i upgraded to new version of phpmyadmin 4.6.5.2.
So, to decided this problem:
mv /usr/share/phpmyadmin/config.sample.inc.php /usr/share/phpmyadmin/config.inc.php
This works for me :-).

Sitronik commented Jan 19, 2017

I had some problem with phpmyadmin, when i upgraded to new version of phpmyadmin 4.6.5.2.
So, to decided this problem:
mv /usr/share/phpmyadmin/config.sample.inc.php /usr/share/phpmyadmin/config.inc.php
This works for me :-).

@bobhairgrove

This comment has been minimized.

Show comment
Hide comment
@bobhairgrove

bobhairgrove Sep 11, 2017

I just upgraded to 4.6.6 in order to deal with another issue (deprecation warnings w/ PHP 7 in Ubuntu 16.04), and after upgrading got the same error message about "blowfish_secret" being too short.

So this issue should be reopened.

(EDIT: the deprecation warnings are still there also, BTW)

bobhairgrove commented Sep 11, 2017

I just upgraded to 4.6.6 in order to deal with another issue (deprecation warnings w/ PHP 7 in Ubuntu 16.04), and after upgrading got the same error message about "blowfish_secret" being too short.

So this issue should be reopened.

(EDIT: the deprecation warnings are still there also, BTW)

@ibennetch

This comment has been minimized.

Show comment
Hide comment
@ibennetch

ibennetch Sep 11, 2017

Member

Reopened.

@bobhairgrove could you confirm your current length of blowfish_secret in config.inc.php (or if it's not there so it's autogenerated)?

Member

ibennetch commented Sep 11, 2017

Reopened.

@bobhairgrove could you confirm your current length of blowfish_secret in config.inc.php (or if it's not there so it's autogenerated)?

@ibennetch ibennetch reopened this Sep 11, 2017

@bobhairgrove

This comment has been minimized.

Show comment
Hide comment
@bobhairgrove

bobhairgrove Sep 11, 2017

@ibennetch ... it has 24 characters, and it is in blowfish_secret.inc.php which is included by config.inc.php.

In the meantime, I just edited blowfish_secret.inc.php and wrapped it in SHA1() to make it longer (could have used base64_encode() just as well... :)

bobhairgrove commented Sep 11, 2017

@ibennetch ... it has 24 characters, and it is in blowfish_secret.inc.php which is included by config.inc.php.

In the meantime, I just edited blowfish_secret.inc.php and wrapped it in SHA1() to make it longer (could have used base64_encode() just as well... :)

@nijel

This comment has been minimized.

Show comment
Hide comment
@nijel

nijel Sep 15, 2017

Member

The secret should be 32 characters long, so if you have only 24, then it's really too short (it was not needed that long before).

What is actually reason for reopening this?

Member

nijel commented Sep 15, 2017

The secret should be 32 characters long, so if you have only 24, then it's really too short (it was not needed that long before).

What is actually reason for reopening this?

@bobhairgrove

This comment has been minimized.

Show comment
Hide comment
@bobhairgrove

bobhairgrove Sep 15, 2017

It seems that upgrading to 4.6.6 replaced the secret I had with one that was autogenerated (and too short). My old blowfish_secret.inc.php was OK because I had edited that in the past; the new one created by the update overwrites it, apparently.

bobhairgrove commented Sep 15, 2017

It seems that upgrading to 4.6.6 replaced the secret I had with one that was autogenerated (and too short). My old blowfish_secret.inc.php was OK because I had edited that in the past; the new one created by the update overwrites it, apparently.

@nijel

This comment has been minimized.

Show comment
Hide comment
@nijel

nijel Sep 28, 2017

Member

How did you install phpMyAdmin? We certainly don't touch existing configuration on upgrade...

Member

nijel commented Sep 28, 2017

How did you install phpMyAdmin? We certainly don't touch existing configuration on upgrade...

@nijel nijel closed this Nov 27, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment