Migrate password to 7.6

Vireth · May 13, 2025, 11:44am

Hello,

I am trying to migrate to Tryton 7.6 but when I try to log in I get this error.

Traceback (most recent call last):
  File "/trytond/wsgi.py", line 97, in dispatch_request
    return endpoint(request, **request.view_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/trytond/protocols/dispatcher.py", line 44, in rpc
    return methods.get(request.rpc_method, _dispatch)(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/trytond/protocols/dispatcher.py", line 54, in login
    session = security.login(
              ^^^^^^^^^^^^^^^
  File "/trytond/security.py", line 47, in login
    user_id = User.get_login(loginname, parameters)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/trytond/res/user.py", line 679, in get_login
    user_ids.add(func(login, parameters))
                 ^^^^^^^^^^^^^^^^^^^^^^^
  File "/trytond/res/user.py", line 727, in _login_password
    valid, new_hash = cls.check_password(password, password_hash)
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/trytond/res/user.py", line 751, in check_password
    return PASSWORD_HASH.verify_and_update(password, hash_)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/pwdlib/_hash.py", line 119, in verify_and_update
    raise exceptions.UnknownHashError(hash)
pwdlib.exceptions.UnknownHashError: This hash can't be identified. Make sure it's valid and that its corresponding hasher is enabled.

As I understand pwdlib works with argon and/or bcrypt, and the old password used scrypt/bcrypt/ pbkdf2_sha512. The doc says to update old passwords by logging in but I can’t log in without getting an error.

ced · May 13, 2025, 12:07pm

It must be done before the update.

Vireth · May 13, 2025, 12:19pm

So, install argon2, log in to update the password, then migrate the codebase ?

acaubet · May 13, 2025, 12:21pm

Or you can change it after using trytond-admin.

ced · May 13, 2025, 12:23pm

You must set the configuration to use argon2: Configuration file — Tryton server

Vireth · May 13, 2025, 1:34pm

Alright I’ve been able to change the hashing method with the passlib config file.
So If I want to migrate prod, every user needs to log in with an argon2 config and then I can migrate to 7.6 ?

ced · May 13, 2025, 2:23pm

Yes and I would suggest to check that it is actually the case by looking if all password_hash starts with $argon2 in the table res_user and web_user.

system · May 14, 2025, 2:24pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.