• Fatal error: Define Auth_OpenID_RAND_SOURCE as null to continue with an insecure random number generator. in /home/p32528/public_html/wp-content/plugins/php-openid/Auth/OpenID/CryptUtil.php on line 52

    what can I do about this?

Viewing 8 replies - 1 through 8 (of 8 total)
  • Thread Starter joaociocca

    (@joaociocca)

    oh yeah, I forgot to say (even though you can see from the URL), the plugin that gives me that error is one of the OpenID ones.

    Sorry to bring this topic up again, but I’ve experienced the same problem with OpenID 3.0

    Googling the matter brought the following solution:
    – in wp-content/plugins/php-openid/Auth/OpenID/CryptUtil.php I’ve replaced

    if (!defined('Auth_OpenID_RAND_SOURCE')) {
        /**
         * The filename for a source of random bytes. Define this yourself
         * if you have a different source of randomness.
         */
        define('Auth_OpenID_RAND_SOURCE', '/dev/urandom');
    }

    with

    if (!defined('Auth_OpenID_RAND_SOURCE')) {
        /**
         * The filename for a source of random bytes. Define this yourself
         * if you have a different source of randomness.
         */
        define('Auth_OpenID_RAND_SOURCE', null);
    }

    After doing that everything was working just fine.

    But then, it was noted by that person that this way of dealing with this kind of problems was not secure ’cause it made the script use “a pseudo-random sequence that is relatively easily cracked” (I’m quoting here ’cause I know very little about these things). It also was noted that these kind of problems could arise in cases when PHP couldn’t have access to a good source of randomness (whatever that may be, I’m quoting the helping person again).

    The question I now have is whether I’m actually endangering my blog credentials (login/password) each time I comment somewhere using my blog URL as an OpenID? Somehow it seems unlikely since the credentials are get sent to my own server after all and are not shared with this other site where I comment, is it right? Or am I possibly handing other persons the way to identify as me by using this insecure pseudo-randomness? Generally, how dangerous it (no real randomness) is?

    And the second question is (sorry for being this talkative today) why my PHP might have no access to real source of randomness? Should I talk to my host provider about it, should they provide me with /dev/urandom (guess that is the path to some server program)? Is it a possible thing with virtual hosting or is it only available with VPS/DDS?

    It certainly doesn’t put your wordpress credentials at risk. At most, it makes it slightly easier for your OpenID association to be compromised, but given the use of nonces, it’s still nothing to be too terribly concerned about. The OpenID plugin was supposed to set this to null automatically if it detected you didn’t have access to /dev/urandom. That wasn’t working apparently, so I’ve made a quick update. Try replacing your openid.php with the one below and let me know if that fixes it for you.

    https://diso.googlecode.com/svn/wordpress/openid/trunk/openid.php

    Yes, it seems to work okay now. I mean, with the original wp-content/plugins/php-openid/Auth/OpenID/CryptUtil.php file. Thank you for addressing this issue. ??

    Oh, and if it would not be much of a bother for you, could you please explain the meaning of the “Log in using an OpenID” on the WP login screen? ?? Which ID exactly does it require?

    Are you asking me to explain in here, or update the plugin so that the login screen is more descriptive? OpenID is pretty well explained at https://openid.net/what/. Most any URL can be an OpenID, which is one of the things the plugin does…. it makes your blog an OpenID that can be used to log you into other site. There are also a number of third-party OpenID providers listed at https://openid.net/get/

    Thank you for your help, wnorris. ?? I’m sorry I couldn’t phrase the question right. It didn’t concern the OpenID technogoly itself, I’ve read about it before. The question was about the log-in screen. You see, yesterday I accidentally stumbled across the plug-in setting which kind of described the meaning of this “Or login using an OpenID:” field on the admin log-in screen. The OpenID which this log-in screen field is talking about (if you could say so) should be set beforehand in the plug-in settings, so that my WP knows that a user with this particular OpenID is authorized to log in, is it right? And if I don’t adjust this setting to explicitely tell WP to allow some OpenID to log-in, then it would be impossible to log-in to my WP using an OpenID, is that correct?

    Sadly, all of this is not obvious for a non-technical user like myself. Maybe it would be possible to include an explanation of this log-in option into a readme file or add a brief note to the log-in screen?

    Anyway, thank you for your work and this great plug-in! ??

    Ahh, I got it. Yes, you do have it right now in your explanation… the OpenID field on the login page is only useful if you’ve already connected an OpenID with your WordPress account. I’ll see about writing some more user-level documentation for the plugin.

    Thread Starter joaociocca

    (@joaociocca)

    just giving a feedback, after sometime I decided to try again (on version 3.1.4 now) and it works just fine ?? nice work wnorris!

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Fatal Error when trying to authenticate’ is closed to new replies.