I've successfuly instaled ISPConfig 2.2.0 on Debian Sarge 3.1. Problem is, I still have shadow passwords in /etc/shadow instead of MD5.

Release notes says version 2.2.0 has support for MD5.

How do I activate MD5 passwords?

I think this is somehow related to that problem: http://www.howtoforge.com/forums/showthread.php?t=3000

Bernhard

Yes, it is. I've posted this here because turning MD5 support on should be configuration problem.

In /home/admispconfig/ispconfig/lib/classes/ispconfig_isp_user.lib.php
find (line 109 - 113)
if($go_info["server"]["password_hash"] == 'crypt') {
$passwort = "||||:".crypt($user["user_passwort"],substr($user["user_passwort"],0,2));
} else {
$passwort = "||||:". crypt(stripslashes($user["user_passwort"]), "$1$".md5(time()) );
}

and change it to:

if($go_info["server"]["password_hash"] == 'crypt') {
$passwort = "||||:".crypt($user["user_passwort"],substr($user["user_passwort"],0,2));
} else {
// $passwort = "||||:". crypt(stripslashes($user["user_passwort"]), "$1$".md5(time()) );
$passwort = "||||:". md5(stripslashes($user["user_passwort"]));
}

It works for me.

And the other problem can be fixed int the same way but you have to be a bit more careful because you have to check if your system supports md5 crypted password or not. I would really love it if your patch would be integrated into the next version.

Bernhard

After looking into the whole source code I think I am able to provide a security patch for these issues. This patch will include your patch (above - but I will go a step further) and a patch for .htpasswd files.
Does someone else need that patch?

Bernhard

I think we all need that, therefor it should be accepted in next release. Post the patch when you're done.

Cheers :)

After looking into the whole source code I think I am able to provide a security patch for these issues. This patch will include your patch (above - but I will go a step further) and a patch for .htpasswd files.
Does someone else need that patch?

Do you like to join the ISPConfig development team?

http://www.howtoforge.com/forums/showthread.php?t=135

It will make things easier for us if patches where integrated directly in the latest SVN.

In /home/admispconfig/ispconfig/lib/classes/ispconfig_isp_user.lib.php
find (line 109 - 113)

.....

and change it to:

....

It works for me.

ISPConfig implements the crypt-md5. It is a more secure alternative of the plain crypt function. Your implementation is pure md5 and not a replacement for the crypt-md5 that we implemented. But currently the variable content of $go_info["server"]["password_hash"] is misleading in config.inc.php

What do you think of this patch:

if($go_info["server"]["password_hash"] == 'crypt') {
$passwort = "||||:".crypt($user["user_passwort"],substr($user["user_passwort"],0,2));
} elseif ($go_info["server"]["password_hash"] == 'crypt-md5') {
$passwort = "||||:". crypt(stripslashes($user["user_passwort"]), "$1$".md5(time()) );
} else {
$passwort = "||||:". md5(stripslashes($user["user_passwort"]));
}

Also you will have to change this twice, once in the user_insert function and once in the user_update function. Both are in the same file.

Not at the moment - sorry.
I am happy to help out with patches (even agains a [public readable] SVN repository using svn diff) but I have no time to develop new features or something like that. Anyway I am able to help with small patches that are needed to have an even better ISPConfig.

Bernhard

$passwort = "||||:". crypt(stripslashes($user["user_passwort"]), "$1$".md5(time()) );
}
This is NOT more secure than a true md5 with a correct salt.
By the way: a crypt salt only consists of two (2) chars. Don't forget that.
Like this one (not tested - sorry):

$passwort = "||||:". md5("$1$md5(time())."$".stripslashes($user["user_passwort"]));

A correct salt for md5 has a length of 12 chars and 8 of those 12 chars should be random. A salt always starts with $1$ and ends with $.
So this is a correct salt "$1$xxxxxxxx$".
I'll provide a patch that uses correct salts. Just look into it or even better look into some description of md5 in passwd/shadow files.

Bernhard

I'll provide a patch that uses correct salts.

Thanks.

Just look into it or even better look into some description of md5 in passwd/shadow files.

I've not written that code. I will have a look into it.

Above I wrote md5(). I actually meant to use the md5 version of crypt. I also verified that your md5 encryption works but in general random data is better for encryptions than time data. It seems that PHP5 does not care about the missing $ at the end of the salt. And it does not care about the too long salt. But I think you really should use a right length/right formed salt.

Bernhard