Awkward function client_change_password

Discussion in 'General' started by mrtnzlml, Jun 6, 2013.

  1. mrtnzlml

    mrtnzlml New Member

    Hi, I am confused. Again.
    If you change client's password via ISPConfig, it's ok. It is in database as something like this:
    BUT if you change client's password via remote api using client_change_password function, then it is something like this (MD5):
    And of course login is impossible.

    Am I doing something wrong, or it is bug?
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Thats both ok, as ispconfig supports md5 passwords and crypt passwords for the user login.
  3. mrtnzlml

    mrtnzlml New Member

    Oh no, bad news.
    I was happy for crypt function. So, if I want to change password via remote API, then I must reprogram my remote login to accept crypt and MD5 hash?

    Hm, is there any reason, why ISPConfig accept MD5 (and one function generate MD5)? Backward compatibility? I think it's little bit security weak point.
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig supports md5 for backward compatibility. Old versions use md5 and new versions use crypt. The client_change_password is deprecated and gets removed in future. Please use the client_update function if you want to update any value of a client record.
  5. mrtnzlml

    mrtnzlml New Member

    Thanks for the explanation.

    I hope that MD5 alternative login will be removed as soon as possible.

    One more thing. It's planned to implement remote access to APS installer?

Share This Page