How to activate MD5 passwords?

[popeye]

I've successfuly instaled ISPConfig 2.2.0 on Debian Sarge 3.1. Problem is, I still have shadow passwords in /etc/shadow instead of MD5.

Release notes says version 2.2.0 has support for MD5.

How do I activate MD5 passwords?

[bjmg]

I think this is somehow related to that problem: http://www.howtoforge.com/forums/showthread.php?t=3000

Bernhard

[popeye]

Yes, it is. I've posted this here because turning MD5 support on should be configuration problem.

[popeye]

In /home/admispconfig/ispconfig/lib/classes/ispconfig_isp_user.lib.php
find (line 109 - 113)

Quote:

if($go_info["server"]["password_hash"] == 'crypt') {
$passwort = "||||:".crypt($user["user_passwort"],substr($user["user_passwort"],0,2));
} else {
$passwort = "||||:". crypt(stripslashes($user["user_passwort"]), "$1$".md5(time()) );
}

and change it to:

Quote:

if($go_info["server"]["password_hash"] == 'crypt') {
$passwort = "||||:".crypt($user["user_passwort"],substr($user["user_passwort"],0,2));
} else {
// $passwort = "||||:". crypt(stripslashes($user["user_passwort"]), "$1$".md5(time()) );
$passwort = "||||:". md5(stripslashes($user["user_passwort"]));
}

It works for me.

[bjmg]

And the other problem can be fixed int the same way but you have to be a bit more careful because you have to check if your system supports md5 crypted password or not. I would really love it if your patch would be integrated into the next version.

Bernhard

[bjmg]

After looking into the whole source code I think I am able to provide a security patch for these issues. This patch will include your patch (above - but I will go a step further) and a patch for .htpasswd files.
Does someone else need that patch?

Bernhard

[till]

Quote:

Originally Posted by popeye

In /home/admispconfig/ispconfig/lib/classes/ispconfig_isp_user.lib.php
find (line 109 - 113)

.....

and change it to:

....

It works for me.

ISPConfig implements the crypt-md5. It is a more secure alternative of the plain crypt function. Your implementation is pure md5 and not a replacement for the crypt-md5 that we implemented. But currently the variable content of $go_info["server"]["password_hash"] is misleading in config.inc.php

What do you think of this patch:

Code:

if($go_info["server"]["password_hash"] == 'crypt') {
$passwort = "||||:".crypt($user["user_passwort"],substr($user["user_passwort"],0,2));
} elseif ($go_info["server"]["password_hash"] == 'crypt-md5') {
$passwort = "||||:". crypt(stripslashes($user["user_passwort"]), "$1$".md5(time()) );
} else {
$passwort = "||||:". md5(stripslashes($user["user_passwort"]));
}

Also you will have to change this twice, once in the user_insert function and once in the user_update function. Both are in the same file.

[bjmg]

Code:

$passwort = "||||:". crypt(stripslashes($user["user_passwort"]), "$1$".md5(time()) );
}

This is NOT more secure than a true md5 with a correct salt.
By the way: a crypt salt only consists of two (2) chars. Don't forget that.
Like this one (not tested - sorry):

Code:

$passwort = "||||:". md5("$1$md5(time())."$".stripslashes($user["user_passwort"]));

A correct salt for md5 has a length of 12 chars and 8 of those 12 chars should be random. A salt always starts with $1$ and ends with $.
So this is a correct salt "$1$xxxxxxxx$".
I'll provide a patch that uses correct salts. Just look into it or even better look into some description of md5 in passwd/shadow files.

Bernhard