HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=16)
-   -   How to activate MD5 passwords? (http://www.howtoforge.com/forums/showthread.php?t=3009)

popeye 9th March 2006 15:27

How to activate MD5 passwords?
 
I've successfuly instaled ISPConfig 2.2.0 on Debian Sarge 3.1. Problem is, I still have shadow passwords in /etc/shadow instead of MD5.

Release notes says version 2.2.0 has support for MD5.

How do I activate MD5 passwords?

bjmg 9th March 2006 15:44

I think this is somehow related to that problem: http://www.howtoforge.com/forums/showthread.php?t=3000

Bernhard

popeye 9th March 2006 17:39

Yes, it is. I've posted this here because turning MD5 support on should be configuration problem.

popeye 9th March 2006 18:26

In /home/admispconfig/ispconfig/lib/classes/ispconfig_isp_user.lib.php
find (line 109 - 113)
Quote:

if($go_info["server"]["password_hash"] == 'crypt') {
$passwort = "||||:".crypt($user["user_passwort"],substr($user["user_passwort"],0,2));
} else {
$passwort = "||||:". crypt(stripslashes($user["user_passwort"]), "$1$".md5(time()) );
}
and change it to:

Quote:

if($go_info["server"]["password_hash"] == 'crypt') {
$passwort = "||||:".crypt($user["user_passwort"],substr($user["user_passwort"],0,2));
} else {
// $passwort = "||||:". crypt(stripslashes($user["user_passwort"]), "$1$".md5(time()) );
$passwort = "||||:". md5(stripslashes($user["user_passwort"]));
}
It works for me.

bjmg 9th March 2006 18:31

And the other problem can be fixed int the same way but you have to be a bit more careful because you have to check if your system supports md5 crypted password or not. I would really love it if your patch would be integrated into the next version.

Bernhard

bjmg 9th March 2006 18:41

After looking into the whole source code I think I am able to provide a security patch for these issues. This patch will include your patch (above - but I will go a step further) and a patch for .htpasswd files.
Does someone else need that patch?

Bernhard

popeye 9th March 2006 18:48

I think we all need that, therefor it should be accepted in next release. Post the patch when you're done.

Cheers :)

till 9th March 2006 19:12

Quote:

Originally Posted by bjmg
After looking into the whole source code I think I am able to provide a security patch for these issues. This patch will include your patch (above - but I will go a step further) and a patch for .htpasswd files.
Does someone else need that patch?

Do you like to join the ISPConfig development team?

http://www.howtoforge.com/forums/showthread.php?t=135

It will make things easier for us if patches where integrated directly in the latest SVN.

till 9th March 2006 19:29

Quote:

Originally Posted by popeye
In /home/admispconfig/ispconfig/lib/classes/ispconfig_isp_user.lib.php
find (line 109 - 113)

.....

and change it to:

....

It works for me.

ISPConfig implements the crypt-md5. It is a more secure alternative of the plain crypt function. Your implementation is pure md5 and not a replacement for the crypt-md5 that we implemented. But currently the variable content of $go_info["server"]["password_hash"] is misleading in config.inc.php

What do you think of this patch:

Code:

if($go_info["server"]["password_hash"] == 'crypt') {
$passwort = "||||:".crypt($user["user_passwort"],substr($user["user_passwort"],0,2));
} elseif ($go_info["server"]["password_hash"] == 'crypt-md5') {
$passwort = "||||:". crypt(stripslashes($user["user_passwort"]), "$1$".md5(time()) );
} else {
$passwort = "||||:". md5(stripslashes($user["user_passwort"]));
}

Also you will have to change this twice, once in the user_insert function and once in the user_update function. Both are in the same file.

bjmg 9th March 2006 19:33

Not at the moment - sorry.
I am happy to help out with patches (even agains a [public readable] SVN repository using svn diff) but I have no time to develop new features or something like that. Anyway I am able to help with small patches that are needed to have an even better ISPConfig.

Bernhard


All times are GMT +2. The time now is 01:24.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.