HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)

- Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=16)

- - How to activate MD5 passwords? (http://www.howtoforge.com/forums/showthread.php?t=3009)

How to activate MD5 passwords?

I've successfuly instaled ISPConfig 2.2.0 on Debian Sarge 3.1. Problem is, I still have shadow passwords in /etc/shadow instead of MD5.

Release notes says version 2.2.0 has support for MD5.

How do I activate MD5 passwords?

I think this is somehow related to that problem: http://www.howtoforge.com/forums/showthread.php?t=3000

Bernhard

Yes, it is. I've posted this here because turning MD5 support on should be configuration problem.

In /home/admispconfig/ispconfig/lib/classes/ispconfig_isp_user.lib.php
find (line 109 - 113)

Quote:

if($go_info["server"]["password_hash"] == 'crypt') {
$passwort = "||||:".crypt($user["user_passwort"],substr($user["user_passwort"],0,2));
} else {
$passwort = "||||:". crypt(stripslashes($user["user_passwort"]), "$1$".md5(time()) );
}

and change it to:

Quote:

if($go_info["server"]["password_hash"] == 'crypt') {
$passwort = "||||:".crypt($user["user_passwort"],substr($user["user_passwort"],0,2));
} else {
// $passwort = "||||:". crypt(stripslashes($user["user_passwort"]), "$1$".md5(time()) );
$passwort = "||||:". md5(stripslashes($user["user_passwort"]));
}

It works for me.

And the other problem can be fixed int the same way but you have to be a bit more careful because you have to check if your system supports md5 crypted password or not. I would really love it if your patch would be integrated into the next version.

Bernhard

After looking into the whole source code I think I am able to provide a security patch for these issues. This patch will include your patch (above - but I will go a step further) and a patch for .htpasswd files.
Does someone else need that patch?

Bernhard

I think we all need that, therefor it should be accepted in next release. Post the patch when you're done.

Cheers :)

Quote:

Originally Posted by bjmg

Do you like to join the ISPConfig development team?

http://www.howtoforge.com/forums/showthread.php?t=135

It will make things easier for us if patches where integrated directly in the latest SVN.

Quote:

Originally Posted by popeye

In /home/admispconfig/ispconfig/lib/classes/ispconfig_isp_user.lib.php
find (line 109 - 113)

.....

and change it to:

....

It works for me.

ISPConfig implements the crypt-md5. It is a more secure alternative of the plain crypt function. Your implementation is pure md5 and not a replacement for the crypt-md5 that we implemented. But currently the variable content of $go_info["server"]["password_hash"] is misleading in config.inc.php

What do you think of this patch:

Code:

if($go_info["server"]["password_hash"] == 'crypt') {

$passwort = "||||:".crypt($user["user_passwort"],substr($user["user_passwort"],0,2));

} elseif ($go_info["server"]["password_hash"] == 'crypt-md5') {

$passwort = "||||:". crypt(stripslashes($user["user_passwort"]), "$1$".md5(time()) );

} else {

$passwort = "||||:". md5(stripslashes($user["user_passwort"]));

}

Also you will have to change this twice, once in the user_insert function and once in the user_update function. Both are in the same file.

Not at the moment - sorry.
I am happy to help out with patches (even agains a [public readable] SVN repository using svn diff) but I have no time to develop new features or something like that. Anyway I am able to help with small patches that are needed to have an even better ISPConfig.

Bernhard