HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Developers' Forum (http://www.howtoforge.com/forums/forumdisplay.php?f=33)
-   -   ISPCONFIG 3 password encryption (http://www.howtoforge.com/forums/showthread.php?t=45465)

jariasca 28th April 2010 18:12

ISPCONFIG 3 password encryption
 
Hi all,

I'm Developing a new management interface for my postfix for inhouse use.
does anybody know how is the ispconfig 3 password encrypted.

I'm using coldfusion 8

thanks
Jorge

edge 28th April 2010 19:23

Yahooo.. An other CF8 users.

I think that ISPconfig is using PHP's md5 as encryption, but to make sure you better wait for one of the developers to answer your question.

till 28th April 2010 20:13

The passwords in ispconfig are encrypted with "crypt" and a salt, thats the standard encryption on all Linux systems and ISPConfig uses this too.

jariasca 28th April 2010 20:43

Hi, is there a way to get an example code nevermind if it is in php, or maybe you can tell me where in the source code of the ispconfig 3 can I see this encrpytion.

mike_p 28th April 2010 21:53

Quote:

Originally Posted by till (Post 226830)
The passwords in ispconfig are encrypted with "crypt" and a salt, thats the standard encryption on all Linux systems and ISPConfig uses this too.

Now I'm confused!
Looking at the source code in
/usr/local/ispconfig/interface/web/client/client_edit.php

I see
Code:

$sql = "UPDATE sys_user SET passwort = md5('$password') WHERE client_id = $client_id";
That suggests that the system users' passwords are encrypted by mysql applying md5??

till 28th April 2010 21:56

md5 is a fallback mechanism supported only for the sys_user table. Normally all passwords for all users (ssh, email, ftp and sys_user) are encrypted with crypt. Take a look at the /usr/local/ispconfig/interface/lib/classes/tform.inc.php file which handles the encryption for all password form fields.

mike_p 28th April 2010 21:59

Thanks for the swift explanation!

jariasca 29th April 2010 01:17

Ok I got more or less how is done

What I think is this

got the salt '$1$' and make a loop 12 times adding the salt + a random character between 64 - 126 (ascii)

example $1$ABCDE......

After I got this salt I need to crypt the salt + a key how can I get that key?

please correct me if I'm wrong

Jorge


Code:


if($field['formtype'] == 'PASSWORD') {
if(isset($field['encryption']) && $field['encryption'] == 'CRYPT') {
$salt="$1$";
for ($n=0;$n<11;$n++) {
$salt.=chr(mt_rand(64,126));
          }
$salt.="$";
// $salt = substr(md5(time()),0,2);
$record[$key] = crypt($record[$key],$salt);
$sql_update .= "`$key` = '".$app->db->quote($record[$key])."', ";


Ben 29th April 2010 10:01

What do you mean by getting the "key"? For my understanding the key is the "password", the salt is just combined with it when crypting to act against rainbowtables.
So what you just to to verify the crendtials is after fetching the key / password, rebuild the hash (the salt can bea read from the existing crypt hash) with the given key and compare both.

mike_p 29th April 2010 13:11

Having looked a the code (quoted by jariasca) there is something I don't understand.

As far as I know using the MD5 algorithm for crypt (as it appears to be doing) requires a 12 character salt starting with $1$.

The code above appears to create a salt starting with $1$, then 12 characters then a '$' - which makes the salt 16 characters?

Surely the loop should only add 8 characters?

I presume CRYPT will just ignore any extra characters and so won't generate an error.


All times are GMT +2. The time now is 18:18.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.