Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Developers' Forum

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 8th March 2010, 14:48
papyHerman papyHerman is offline
Junior Member
 
Join Date: Nov 2009
Posts: 6
Thanks: 0
Thanked 1 Time in 1 Post
Default Salt generation for CRYPT passwords

Due to errors in parsing authorization file, i've rewrited some part of PHP:
There is a purposed patch:
(same with interface/lib/classes/tform.inc.php, interface/lib/classes/remoting_lib.inc.php and this: password_reset.php)
[PRE]
+++ ispconfig3_install_felix/interface/web/login/password_reset.php 2010-03-08 13:28:52.000000000 +0000
@@ -53,9 +53,13 @@

if($client['client_id'] > 0) {
$new_password = md5 (uniqid (rand()));
+ $saltpack=array[(]"a","b","c","d","e","f","g","h","i","j","k","l","m ","n",
+ "o","p","q","r","s","t","u","v","w","x","y","z","A ","B","C","D","E",
+ "F","G","H","I","J","K","L","M","N","O","P","Q","R ","S","T","U","V",
+ "W","X","Y","Z","0","1","2","3","4","5","6","7","8 ","9",".","/");
$salt="$1$";
for ($n=0;$n<11;$n++) {
- $salt.=chr(mt_rand(64,126));
+ $salt.=$saltpack[rand(0,63)];
}
$salt.="$";
$new_password_encrypted = crypt($new_password,$salt);
[/PRE]
Reply With Quote
Sponsored Links
  #2  
Old 8th March 2010, 14:51
papyHerman papyHerman is offline
Junior Member
 
Join Date: Nov 2009
Posts: 6
Thanks: 0
Thanked 1 Time in 1 Post
Default

Due to errors in parsing authorization file, i've rewrited some part of PHP:
There is a purposed patch:
(same with interface/lib/classes/tform.inc.php, interface/lib/classes/remoting_lib.inc.php and this: password_reset.php)
<PRE>
+++ ispconfig3_install_felix/interface/web/login/password_reset.php 2010-03-08 13:28:52.000000000 +0000
@@ -53,9 +53,13 @@

if($client['client_id'] > 0) {
$new_password = md5 (uniqid (rand()));
+ $saltpack=array[(]"a","b","c","d","e","f","g","h","i","j","k","l","m ","n",
+ "o","p","q","r","s","t","u","v","w","x","y","z","A ","B","C","D","E",
+ "F","G","H","I","J","K","L","M","N","O","P","Q","R ","S","T","U","V",
+ "W","X","Y","Z","0","1","2","3","4","5","6","7","8 ","9",".","/");
$salt="$1$";
for ($n=0;$n<11;$n++) {
- $salt.=chr(mt_rand(64,126));
+ $salt.=$saltpack[rand(0,63)];
}
$salt.="$";
$new_password_encrypted = crypt($new_password,$salt);
</PRE>
Reply With Quote
The Following User Says Thank You to papyHerman For This Useful Post:
till (8th March 2010)
  #3  
Old 8th March 2010, 16:03
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,421
Thanks: 834
Thanked 5,500 Times in 4,329 Posts
Default

Which ISPConfig version did you use? The fix that has been applied to the salt generation of the normal form library a few weeks ago and which gets released as part of ISPConfig 3.0.2 was not applied to the corresponding function of the remoting lib and the password reset function. I applied the changes to the remoting lib and password reset now too to fix the issue you pointed out, please check if it works now for you.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #4  
Old 9th March 2010, 08:51
papyHerman papyHerman is offline
Junior Member
 
Join Date: Nov 2009
Posts: 6
Thanks: 0
Thanked 1 Time in 1 Post
Default

I've encountered problems with old version 2, but recently,
I downloaded version 3.0.1.6 on 5 march.
Ok. I will download last version and try an updrade...
Reply With Quote
  #5  
Old 9th March 2010, 09:59
papyHerman papyHerman is offline
Junior Member
 
Join Date: Nov 2009
Posts: 6
Thanks: 0
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by till View Post
... The fix that has been applied to ... part of ISPConfig 3.0.2 ...
The currently available version is 3.0.1.6, How do I get more recent version?
Reply With Quote
  #6  
Old 9th March 2010, 10:31
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,421
Thanks: 834
Thanked 5,500 Times in 4,329 Posts
Default

The changes are in SVN. If your system is used in production, you should wait for the release 0f the 3.0.2 final. If its a test system, update the installation to svn by running:

ispconfig_update.sh

and then choose svn as update source.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #7  
Old 11th March 2010, 00:37
papyHerman papyHerman is offline
Junior Member
 
Join Date: Nov 2009
Posts: 6
Thanks: 0
Thanked 1 Time in 1 Post
Default rand 64-126

I've downloaded the version ISPConfig-3.0.2-rc1.tar.gz
and a little ``find . -type f -print0 | xargs -0 grep -Hi rand.*64.126''
show always 3 files: web/login/password_reset.php,
lib/classes/tform.inc.php and lib/classes/remoting_lib.inc.php.

There are a problem with many characters between 64 and 126:
pipe, backslash, and so on.

This could make problem when parsing some config files,
like postfix's userdb...

At all to obtain 63 characters as ``saltpack'', you don't use numbers.
Reply With Quote
  #8  
Old 11th March 2010, 08:37
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,421
Thanks: 834
Thanked 5,500 Times in 4,329 Posts
 
Default

Quote:
There are a problem with many characters between 64 and 126:
pipe, backslash, and so on.
As I posted above, the code has been changed in SVN and not in RC1. The Code in SVN uses only characters for salts that are ok.

Quote:
and a little ``find . -type f -print0 | xargs -0 grep -Hi rand.*64.126''
show always 3 files: web/login/password_reset.php,
lib/classes/tform.inc.php and lib/classes/remoting_lib.inc.php.
You should not rely on find. Find can neither tell you if a bit of code is used nor if its commented out.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Tags
etc/shadow, md5 crypt, parsing error

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Email problem 'Cannot set my user or group id.' (using ISPConfig 3 + OpenSuSE 11.2) urosm Installation/Configuration 5 19th June 2010 22:41
User Passwords PoleCat Feature Requests 7 17th May 2008 16:04
Record user passwords catdude Feature Requests 0 19th September 2007 15:51
Clear Passwords Agosto Feature Requests 6 22nd March 2007 00:36
Condition of MD5 passwords as of 2.2.2 Rustin Installation/Configuration 1 10th May 2006 19:28


All times are GMT +2. The time now is 15:38.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.