Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Developers' Forum

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #11  
Old 29th April 2010, 12:18
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,717
Thanks: 820
Thanked 5,323 Times in 4,176 Posts
Default

The encryptin is absolutely fine like it is implemented now. The $1$ is not part of the salt, it is a prefix that tells crypt which kind of encryption the password has.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Sponsored Links
  #12  
Old 29th April 2010, 12:56
mike_p mike_p is offline
Senior Member
 
Join Date: Mar 2010
Location: Surrey, England
Posts: 140
Thanks: 9
Thanked 28 Times in 17 Posts
Default

For future reference the salt should only be 12 characters including the '$1$'
and the final '$' is optional.

To confirm it I tested with a simple little php script:

Code:
<?
$salt = '$1$12345678abcd$';
$res = crypt('whatever',$salt) ;

echo "salt   = $salt\n";
echo "result = $res\n";

$salt = '$1$12345678$';
$res = crypt('whatever',$salt) ;

echo "salt   = $salt\n";
echo "result = $res\n";
?>
---------------- 
result....
----------------
salt   = $1$12345678abcd$
result = $1$12345678$OF2XnrBgffDDN5xlSzPhb.
salt   = $1$12345678
result = $1$12345678$OF2XnrBgffDDN5xlSzPhb.
ie the extra four characters were simply ignored.

There is a good description of the MD5 implemenation of crypt in the man page for 'crypt' in the GNU EXTENSION section.
Reply With Quote
  #13  
Old 29th April 2010, 18:28
jariasca jariasca is offline
Member
 
Join Date: Jan 2010
Posts: 43
Thanks: 2
Thanked 8 Times in 4 Posts
Default

Ok know I understand the process, is crypt (<password>, <salt>)
Salt was generated dynamically here

Code:
$salt="$1$";
for ($n=0;$n<11;$n++) {
$salt.=chr(mt_rand(64,126));
          }
Now I'm making a new interface for my company and I need to make a login using same username and password from email accounts in ISPCONFIG.

If the <salt> is dynamically generated I think it has to be store somewhere in the database or a text file in my server so that I can get it to crypt the password plus the salt and compare with the one in the IPSCONFIG database so I can log in.

Where is the salt stored?

regards
Jorge
Reply With Quote
  #14  
Old 29th April 2010, 19:14
mike_p mike_p is offline
Senior Member
 
Join Date: Mar 2010
Location: Surrey, England
Posts: 140
Thanks: 9
Thanked 28 Times in 17 Posts
Default

Quote:
Originally Posted by jariasca View Post
Where is the salt stored?
Its visible as the first 12 characters of the encrypted password.
If you look at the test I ran above, the encrypted password is shown as
$1$12345678$OF2XnrBgffDDN5xlSzPhb.
the first 12 characters ($1$12345678$) = the salt.
Reply With Quote
  #15  
Old 29th April 2010, 19:21
jariasca jariasca is offline
Member
 
Join Date: Jan 2010
Posts: 43
Thanks: 2
Thanked 8 Times in 4 Posts
Default

Hi, thanks

I understand all process. everytime I change password in ISPCONFIG it will generate a new <salt> for each account and then crypt the password so I think that if the <salt> is dynamic generated everytime I change the password it needs to be stored so that I can later retrieve it from a file or sql table to make the encryption and then compare passwords to make the login.

How does courier makes the login?

That's my question

thanks again,
-Jorge

Last edited by jariasca; 29th April 2010 at 19:39.
Reply With Quote
  #16  
Old 29th April 2010, 20:13
jariasca jariasca is offline
Member
 
Join Date: Jan 2010
Posts: 43
Thanks: 2
Thanked 8 Times in 4 Posts
Default

Hi Mike_P

Ooops, I'm Sorry for asking questions, I already got it, it was always in the password.

$1$p_vgRwIS$TnJucOgRwJsjUBpNdaut9.

So I just need to read the <salt> from the password extact it and crypt it with sql encrypt and tha form password to compare.

Regards
Jorge
Reply With Quote
  #17  
Old 29th April 2010, 20:32
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,717
Thanks: 820
Thanked 5,323 Times in 4,176 Posts
 
Default

If you want to write a new interface, you should consider to use the remting API instead of manipulating the data in the sql tables directly. This will keep your interface compatible to new ispconfig releases.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ISPConfig 3.0.1.6 | modify password Hans General 2 9th March 2010 13:07
ISPConfig 3.0.0.7 Beta released till General 78 24th December 2008 11:47
ISPConfig 3.0.0.6 Beta released till General 38 21st September 2008 19:15
ISPConfig 3.0.0.5 Beta Released till General 77 23rd July 2008 12:14
ISPConfig 2.3.2-dev released till General 9 4th June 2007 10:46


All times are GMT +2. The time now is 22:30.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.