How to activate MD5 passwords?

Discussion in 'Installation/Configuration' started by popeye, Mar 9, 2006.

  1. popeye

    popeye New Member

    I've successfuly instaled ISPConfig 2.2.0 on Debian Sarge 3.1. Problem is, I still have shadow passwords in /etc/shadow instead of MD5.

    Release notes says version 2.2.0 has support for MD5.

    How do I activate MD5 passwords?
     
  2. bjmg

    bjmg New Member

  3. popeye

    popeye New Member

    Yes, it is. I've posted this here because turning MD5 support on should be configuration problem.
     
  4. popeye

    popeye New Member

    In /home/admispconfig/ispconfig/lib/classes/ispconfig_isp_user.lib.php
    find (line 109 - 113)
    and change it to:

    It works for me.
     
  5. bjmg

    bjmg New Member

    And the other problem can be fixed int the same way but you have to be a bit more careful because you have to check if your system supports md5 crypted password or not. I would really love it if your patch would be integrated into the next version.

    Bernhard
     
  6. bjmg

    bjmg New Member

    After looking into the whole source code I think I am able to provide a security patch for these issues. This patch will include your patch (above - but I will go a step further) and a patch for .htpasswd files.
    Does someone else need that patch?

    Bernhard
     
  7. popeye

    popeye New Member

    I think we all need that, therefor it should be accepted in next release. Post the patch when you're done.

    Cheers :)
     
  8. till

    till Super Moderator

    Do you like to join the ISPConfig development team?

    http://www.howtoforge.com/forums/showthread.php?t=135

    It will make things easier for us if patches where integrated directly in the latest SVN.
     
  9. till

    till Super Moderator

    ISPConfig implements the crypt-md5. It is a more secure alternative of the plain crypt function. Your implementation is pure md5 and not a replacement for the crypt-md5 that we implemented. But currently the variable content of $go_info["server"]["password_hash"] is misleading in config.inc.php

    What do you think of this patch:

    Code:
    if($go_info["server"]["password_hash"] == 'crypt') {
    $passwort = "||||:".crypt($user["user_passwort"],substr($user["user_passwort"],0,2));
    } elseif ($go_info["server"]["password_hash"] == 'crypt-md5') {
    $passwort = "||||:". crypt(stripslashes($user["user_passwort"]), "$1$".md5(time()) );
    } else {
    $passwort = "||||:". md5(stripslashes($user["user_passwort"]));
    }
    Also you will have to change this twice, once in the user_insert function and once in the user_update function. Both are in the same file.
     
    Last edited: Mar 9, 2006
  10. bjmg

    bjmg New Member

    Not at the moment - sorry.
    I am happy to help out with patches (even agains a [public readable] SVN repository using svn diff) but I have no time to develop new features or something like that. Anyway I am able to help with small patches that are needed to have an even better ISPConfig.

    Bernhard
     
  11. bjmg

    bjmg New Member

    Code:
    $passwort = "||||:". crypt(stripslashes($user["user_passwort"]), "$1$".md5(time()) );
    }
    This is NOT more secure than a true md5 with a correct salt.
    By the way: a crypt salt only consists of two (2) chars. Don't forget that.
    Like this one (not tested - sorry):
    Code:
    $passwort = "||||:". md5("$1$md5(time())."$".stripslashes($user["user_passwort"]));
    
    A correct salt for md5 has a length of 12 chars and 8 of those 12 chars should be random. A salt always starts with $1$ and ends with $.
    So this is a correct salt "$1$xxxxxxxx$".
    I'll provide a patch that uses correct salts. Just look into it or even better look into some description of md5 in passwd/shadow files.

    Bernhard
     
  12. till

    till Super Moderator

    Thanks.

    I've not written that code. I will have a look into it.
     
  13. bjmg

    bjmg New Member

    Above I wrote md5(). I actually meant to use the md5 version of crypt. I also verified that your md5 encryption works but in general random data is better for encryptions than time data. It seems that PHP5 does not care about the missing $ at the end of the salt. And it does not care about the too long salt. But I think you really should use a right length/right formed salt.

    Bernhard
     

Share This Page