[2.2.0] My patch for more secure passwords
as promised here is my patch for more secure passwords.
It now uses a correct md5 encryption and a better salt (more secure) for the standard encryption (DES).
Also .htpasswd files are generated with MD5 encryption (if enabled). This is completely new.
The mailuser backend now also supports MD5 encryption. This is completely new too.
I hope I did not make any mistakes. At least I think the code works good.
To patch your installation you have to do the following:
copy the file in the attachment to /home/admispconfig/ispconfig
run the command: patch --dry-run -p1 -i secure-passwords.txt
If there was NO error run the command:
patch -p1 -i secure-passwords.txt
Before I forget it:
DON'T TRUST ANY EXTERNAL CODE WITHOUT PROOF READING IT.
(And not in any case if it changes something on encryption functions.)
thanks for the patch! We will review it and merge it in SVN if everything works as expected.
does that code also affect the passwords for the web-login ( stored in mysql isp_isp_kunde:webadmin_passwort ) ?
those are anyway more vulnerable than the ones in /etc/shadow because mysql-access rights are enough to read them.
The password in the field isp_isp_kunde:webadmin_passwort is an md5 encrypted password of the client for the ISPConfig web interface. Do not mix them up with the /linux) user passwords this thread is about.
The client passwords are encrypted with totally different algorithms so they are not affected bythe issue described in this thread. Also we can not store passwords in /etc/shadow that we need for authentication in the web interface.
|All times are GMT +2. The time now is 20:18.|
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.