Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 9th March 2006, 16:27
popeye popeye is offline
Junior Member
 
Join Date: Mar 2006
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default How to activate MD5 passwords?

I've successfuly instaled ISPConfig 2.2.0 on Debian Sarge 3.1. Problem is, I still have shadow passwords in /etc/shadow instead of MD5.

Release notes says version 2.2.0 has support for MD5.

How do I activate MD5 passwords?
Reply With Quote
Sponsored Links
  #2  
Old 9th March 2006, 16:44
bjmg bjmg is offline
Junior Member
 
Join Date: Mar 2006
Location: Püttlingen, Saarland, Germany
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via ICQ to bjmg
Default

I think this is somehow related to that problem: http://www.howtoforge.com/forums/showthread.php?t=3000

Bernhard
Reply With Quote
  #3  
Old 9th March 2006, 18:39
popeye popeye is offline
Junior Member
 
Join Date: Mar 2006
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Yes, it is. I've posted this here because turning MD5 support on should be configuration problem.
Reply With Quote
  #4  
Old 9th March 2006, 19:26
popeye popeye is offline
Junior Member
 
Join Date: Mar 2006
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default

In /home/admispconfig/ispconfig/lib/classes/ispconfig_isp_user.lib.php
find (line 109 - 113)
Quote:
if($go_info["server"]["password_hash"] == 'crypt') {
$passwort = "||||:".crypt($user["user_passwort"],substr($user["user_passwort"],0,2));
} else {
$passwort = "||||:". crypt(stripslashes($user["user_passwort"]), "$1$".md5(time()) );
}
and change it to:

Quote:
if($go_info["server"]["password_hash"] == 'crypt') {
$passwort = "||||:".crypt($user["user_passwort"],substr($user["user_passwort"],0,2));
} else {
// $passwort = "||||:". crypt(stripslashes($user["user_passwort"]), "$1$".md5(time()) );
$passwort = "||||:". md5(stripslashes($user["user_passwort"]));
}
It works for me.
Reply With Quote
  #5  
Old 9th March 2006, 19:31
bjmg bjmg is offline
Junior Member
 
Join Date: Mar 2006
Location: Püttlingen, Saarland, Germany
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via ICQ to bjmg
Default

And the other problem can be fixed int the same way but you have to be a bit more careful because you have to check if your system supports md5 crypted password or not. I would really love it if your patch would be integrated into the next version.

Bernhard
Reply With Quote
  #6  
Old 9th March 2006, 19:41
bjmg bjmg is offline
Junior Member
 
Join Date: Mar 2006
Location: Püttlingen, Saarland, Germany
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via ICQ to bjmg
Default

After looking into the whole source code I think I am able to provide a security patch for these issues. This patch will include your patch (above - but I will go a step further) and a patch for .htpasswd files.
Does someone else need that patch?

Bernhard
Reply With Quote
  #7  
Old 9th March 2006, 19:48
popeye popeye is offline
Junior Member
 
Join Date: Mar 2006
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I think we all need that, therefor it should be accepted in next release. Post the patch when you're done.

Cheers
Reply With Quote
  #8  
Old 9th March 2006, 20:12
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,490
Thanks: 835
Thanked 5,526 Times in 4,346 Posts
Default

Quote:
Originally Posted by bjmg
After looking into the whole source code I think I am able to provide a security patch for these issues. This patch will include your patch (above - but I will go a step further) and a patch for .htpasswd files.
Does someone else need that patch?
Do you like to join the ISPConfig development team?

http://www.howtoforge.com/forums/showthread.php?t=135

It will make things easier for us if patches where integrated directly in the latest SVN.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #9  
Old 9th March 2006, 20:29
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,490
Thanks: 835
Thanked 5,526 Times in 4,346 Posts
Default

Quote:
Originally Posted by popeye
In /home/admispconfig/ispconfig/lib/classes/ispconfig_isp_user.lib.php
find (line 109 - 113)

.....

and change it to:

....

It works for me.
ISPConfig implements the crypt-md5. It is a more secure alternative of the plain crypt function. Your implementation is pure md5 and not a replacement for the crypt-md5 that we implemented. But currently the variable content of $go_info["server"]["password_hash"] is misleading in config.inc.php

What do you think of this patch:

Code:
if($go_info["server"]["password_hash"] == 'crypt') {
$passwort = "||||:".crypt($user["user_passwort"],substr($user["user_passwort"],0,2));
} elseif ($go_info["server"]["password_hash"] == 'crypt-md5') {
$passwort = "||||:". crypt(stripslashes($user["user_passwort"]), "$1$".md5(time()) );
} else {
$passwort = "||||:". md5(stripslashes($user["user_passwort"]));
}
Also you will have to change this twice, once in the user_insert function and once in the user_update function. Both are in the same file.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.

Last edited by till; 9th March 2006 at 20:31.
Reply With Quote
  #10  
Old 9th March 2006, 20:33
bjmg bjmg is offline
Junior Member
 
Join Date: Mar 2006
Location: Püttlingen, Saarland, Germany
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via ICQ to bjmg
 
Default

Not at the moment - sorry.
I am happy to help out with patches (even agains a [public readable] SVN repository using svn diff) but I have no time to develop new features or something like that. Anyway I am able to help with small patches that are needed to have an even better ISPConfig.

Bernhard
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Samba as a PDC HOWTO - Change clients passwords linuxmad HOWTO-Related Questions 6 10th May 2006 17:25
DB access passwords not configurable viewport Installation/Configuration 2 6th March 2006 08:37
Php is compiled without XML gmesscouk Installation/Configuration 8 9th January 2006 21:53
Activate ssl misterm Installation/Configuration 1 14th December 2005 19:42
Activate subversion Thang General 1 26th November 2005 10:42


All times are GMT +2. The time now is 20:43.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.