Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Developers' Forum

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 28th April 2010, 17:12
jariasca jariasca is offline
Member
 
Join Date: Jan 2010
Posts: 43
Thanks: 2
Thanked 8 Times in 4 Posts
Default ISPCONFIG 3 password encryption

Hi all,

I'm Developing a new management interface for my postfix for inhouse use.
does anybody know how is the ispconfig 3 password encrypted.

I'm using coldfusion 8

thanks
Jorge
Reply With Quote
Sponsored Links
  #2  
Old 28th April 2010, 18:23
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,033
Thanks: 261
Thanked 150 Times in 130 Posts
Default

Yahooo.. An other CF8 users.

I think that ISPconfig is using PHP's md5 as encryption, but to make sure you better wait for one of the developers to answer your question.
__________________
Never execute code written on a Friday or a Monday.
Reply With Quote
  #3  
Old 28th April 2010, 19:13
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,488
Thanks: 813
Thanked 5,259 Times in 4,123 Posts
Default

The passwords in ispconfig are encrypted with "crypt" and a salt, thats the standard encryption on all Linux systems and ISPConfig uses this too.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #4  
Old 28th April 2010, 19:43
jariasca jariasca is offline
Member
 
Join Date: Jan 2010
Posts: 43
Thanks: 2
Thanked 8 Times in 4 Posts
Default

Hi, is there a way to get an example code nevermind if it is in php, or maybe you can tell me where in the source code of the ispconfig 3 can I see this encrpytion.
Reply With Quote
  #5  
Old 28th April 2010, 20:53
mike_p mike_p is offline
Senior Member
 
Join Date: Mar 2010
Location: Surrey, England
Posts: 140
Thanks: 9
Thanked 28 Times in 17 Posts
Default

Quote:
Originally Posted by till View Post
The passwords in ispconfig are encrypted with "crypt" and a salt, thats the standard encryption on all Linux systems and ISPConfig uses this too.
Now I'm confused!
Looking at the source code in
/usr/local/ispconfig/interface/web/client/client_edit.php

I see
Code:
$sql = "UPDATE sys_user SET passwort = md5('$password') WHERE client_id = $client_id";
That suggests that the system users' passwords are encrypted by mysql applying md5??
Reply With Quote
  #6  
Old 28th April 2010, 20:56
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,488
Thanks: 813
Thanked 5,259 Times in 4,123 Posts
Default

md5 is a fallback mechanism supported only for the sys_user table. Normally all passwords for all users (ssh, email, ftp and sys_user) are encrypted with crypt. Take a look at the /usr/local/ispconfig/interface/lib/classes/tform.inc.php file which handles the encryption for all password form fields.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
mike_p (28th April 2010)
  #7  
Old 28th April 2010, 20:59
mike_p mike_p is offline
Senior Member
 
Join Date: Mar 2010
Location: Surrey, England
Posts: 140
Thanks: 9
Thanked 28 Times in 17 Posts
Default

Thanks for the swift explanation!
Reply With Quote
  #8  
Old 29th April 2010, 00:17
jariasca jariasca is offline
Member
 
Join Date: Jan 2010
Posts: 43
Thanks: 2
Thanked 8 Times in 4 Posts
Default

Ok I got more or less how is done

What I think is this

got the salt '$1$' and make a loop 12 times adding the salt + a random character between 64 - 126 (ascii)

example $1$ABCDE......

After I got this salt I need to crypt the salt + a key how can I get that key?

please correct me if I'm wrong

Jorge


Code:
 
if($field['formtype'] == 'PASSWORD') {
if(isset($field['encryption']) && $field['encryption'] == 'CRYPT') {
$salt="$1$";
for ($n=0;$n<11;$n++) {
$salt.=chr(mt_rand(64,126));
          }
$salt.="$";
// $salt = substr(md5(time()),0,2);
$record[$key] = crypt($record[$key],$salt);
$sql_update .= "`$key` = '".$app->db->quote($record[$key])."', ";
Reply With Quote
  #9  
Old 29th April 2010, 09:01
Ben Ben is offline
Moderator
 
Join Date: Jul 2006
Posts: 1,029
Thanks: 7
Thanked 62 Times in 56 Posts
Default

What do you mean by getting the "key"? For my understanding the key is the "password", the salt is just combined with it when crypting to act against rainbowtables.
So what you just to to verify the crendtials is after fetching the key / password, rebuild the hash (the salt can bea read from the existing crypt hash) with the given key and compare both.
Reply With Quote
  #10  
Old 29th April 2010, 12:11
mike_p mike_p is offline
Senior Member
 
Join Date: Mar 2010
Location: Surrey, England
Posts: 140
Thanks: 9
Thanked 28 Times in 17 Posts
 
Default

Having looked a the code (quoted by jariasca) there is something I don't understand.

As far as I know using the MD5 algorithm for crypt (as it appears to be doing) requires a 12 character salt starting with $1$.

The code above appears to create a salt starting with $1$, then 12 characters then a '$' - which makes the salt 16 characters?

Surely the loop should only add 8 characters?

I presume CRYPT will just ignore any extra characters and so won't generate an error.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ISPConfig 3.0.1.6 | modify password Hans General 2 9th March 2010 13:07
ISPConfig 3.0.0.7 Beta released till General 78 24th December 2008 11:47
ISPConfig 3.0.0.6 Beta released till General 38 21st September 2008 19:15
ISPConfig 3.0.0.5 Beta Released till General 77 23rd July 2008 12:14
ISPConfig 2.3.2-dev released till General 9 4th June 2007 10:46


All times are GMT +2. The time now is 15:48.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.