HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   General (http://www.howtoforge.com/forums/forumdisplay.php?f=15)
-   -   [2.2.0] My patch for more secure passwords (http://www.howtoforge.com/forums/showthread.php?t=3025)

bjmg 10th March 2006 02:06

[2.2.0] My patch for more secure passwords
 
1 Attachment(s)
Hi,

as promised here is my patch for more secure passwords.
It now uses a correct md5 encryption and a better salt (more secure) for the standard encryption (DES).
Also .htpasswd files are generated with MD5 encryption (if enabled). This is completely new.
The mailuser backend now also supports MD5 encryption. This is completely new too.

I hope I did not make any mistakes. At least I think the code works good.

To patch your installation you have to do the following:
copy the file in the attachment to /home/admispconfig/ispconfig
run the command: patch --dry-run -p1 -i secure-passwords.txt
If there was NO error run the command:
patch -p1 -i secure-passwords.txt
That's it!

Before I forget it:
DON'T TRUST ANY EXTERNAL CODE WITHOUT PROOF READING IT.
(And not in any case if it changes something on encryption functions.)

Bernhard

till 10th March 2006 09:01

Hi Bernhard,

thanks for the patch! We will review it and merge it in SVN if everything works as expected.

Till

olaus 28th March 2006 15:56

hello,

does that code also affect the passwords for the web-login ( stored in mysql isp_isp_kunde:webadmin_passwort ) ?
those are anyway more vulnerable than the ones in /etc/shadow because mysql-access rights are enough to read them.

ciao
arnim

Quote:

Originally Posted by bjmg
as promised here is my patch for more secure passwords.
It now uses a correct md5 encryption and a better salt (more secure) for the standard encryption (DES).
Also .htpasswd files are generated with MD5 encryption (if enabled). This is completely new.
The mailuser backend now also supports MD5 encryption. This is completely new too.


till 28th March 2006 16:05

Quote:

Originally Posted by olaus
does that code also affect the passwords for the web-login ( stored in mysql isp_isp_kunde:webadmin_passwort ) ?
those are anyway more vulnerable than the ones in /etc/shadow because mysql-access rights are enough to read them.

These are totally different passwords.

The password in the field isp_isp_kunde:webadmin_passwort is an md5 encrypted password of the client for the ISPConfig web interface. Do not mix them up with the /linux) user passwords this thread is about.

The client passwords are encrypted with totally different algorithms so they are not affected bythe issue described in this thread. Also we can not store passwords in /etc/shadow that we need for authentication in the web interface.


All times are GMT +2. The time now is 23:54.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.