ISPCONFIG 3 password encryption

Discussion in 'Developers' Forum' started by jariasca, Apr 28, 2010.

  1. jariasca

    jariasca Member

    Hi all,

    I'm Developing a new management interface for my postfix for inhouse use.
    does anybody know how is the ispconfig 3 password encrypted.

    I'm using coldfusion 8

    thanks
    Jorge
     
  2. edge

    edge HowtoForge Supporter

    Yahooo.. An other CF8 users.

    I think that ISPconfig is using PHP's md5 as encryption, but to make sure you better wait for one of the developers to answer your question.
     
  3. till

    till Super Moderator

    The passwords in ispconfig are encrypted with "crypt" and a salt, thats the standard encryption on all Linux systems and ISPConfig uses this too.
     
  4. jariasca

    jariasca Member

    Hi, is there a way to get an example code nevermind if it is in php, or maybe you can tell me where in the source code of the ispconfig 3 can I see this encrpytion.
     
  5. mike_p

    mike_p Member

    Now I'm confused!
    Looking at the source code in
    /usr/local/ispconfig/interface/web/client/client_edit.php

    I see
    Code:
    $sql = "UPDATE sys_user SET passwort = md5('$password') WHERE client_id = $client_id";
    That suggests that the system users' passwords are encrypted by mysql applying md5??
     
  6. till

    till Super Moderator

    md5 is a fallback mechanism supported only for the sys_user table. Normally all passwords for all users (ssh, email, ftp and sys_user) are encrypted with crypt. Take a look at the /usr/local/ispconfig/interface/lib/classes/tform.inc.php file which handles the encryption for all password form fields.
     
  7. mike_p

    mike_p Member

    Thanks for the swift explanation!
     
  8. jariasca

    jariasca Member

    Ok I got more or less how is done

    What I think is this

    got the salt '$1$' and make a loop 12 times adding the salt + a random character between 64 - 126 (ascii)

    example $1$ABCDE......

    After I got this salt I need to crypt the salt + a key how can I get that key?

    please correct me if I'm wrong

    Jorge


    Code:
     
    if($field['formtype'] == 'PASSWORD') {
    if(isset($field['encryption']) && $field['encryption'] == 'CRYPT') {
    $salt="$1$";
    for ($n=0;$n<11;$n++) {
    $salt.=chr(mt_rand(64,126));
              }
    $salt.="$";
    // $salt = substr(md5(time()),0,2);
    $record[$key] = crypt($record[$key],$salt);
    $sql_update .= "`$key` = '".$app->db->quote($record[$key])."', ";
    
     
  9. Ben

    Ben HowtoForge Supporter

    What do you mean by getting the "key"? For my understanding the key is the "password", the salt is just combined with it when crypting to act against rainbowtables.
    So what you just to to verify the crendtials is after fetching the key / password, rebuild the hash (the salt can bea read from the existing crypt hash) with the given key and compare both.
     
  10. mike_p

    mike_p Member

    Having looked a the code (quoted by jariasca) there is something I don't understand.

    As far as I know using the MD5 algorithm for crypt (as it appears to be doing) requires a 12 character salt starting with $1$.

    The code above appears to create a salt starting with $1$, then 12 characters then a '$' - which makes the salt 16 characters?

    Surely the loop should only add 8 characters?

    I presume CRYPT will just ignore any extra characters and so won't generate an error.
     
  11. till

    till Super Moderator

    The encryptin is absolutely fine like it is implemented now. The $1$ is not part of the salt, it is a prefix that tells crypt which kind of encryption the password has.
     
  12. mike_p

    mike_p Member

    For future reference the salt should only be 12 characters including the '$1$'
    and the final '$' is optional.

    To confirm it I tested with a simple little php script:

    Code:
    <?
    $salt = '$1$12345678abcd$';
    $res = crypt('whatever',$salt) ;
    
    echo "salt   = $salt\n";
    echo "result = $res\n";
    
    $salt = '$1$12345678$';
    $res = crypt('whatever',$salt) ;
    
    echo "salt   = $salt\n";
    echo "result = $res\n";
    ?>
    ---------------- 
    result....
    ----------------
    salt   = $1$12345678abcd$
    result = $1$12345678$OF2XnrBgffDDN5xlSzPhb.
    salt   = $1$12345678
    result = $1$12345678$OF2XnrBgffDDN5xlSzPhb.
    
    
    ie the extra four characters were simply ignored.

    There is a good description of the MD5 implemenation of crypt in the man page for 'crypt' in the GNU EXTENSION section.
     
  13. jariasca

    jariasca Member

    Ok know I understand the process, is crypt (<password>, <salt>)
    Salt was generated dynamically here

    Code:
    $salt="$1$";
    for ($n=0;$n<11;$n++) {
    $salt.=chr(mt_rand(64,126));
              }
    
    Now I'm making a new interface for my company and I need to make a login using same username and password from email accounts in ISPCONFIG.

    If the <salt> is dynamically generated I think it has to be store somewhere in the database or a text file in my server so that I can get it to crypt the password plus the salt and compare with the one in the IPSCONFIG database so I can log in.

    Where is the salt stored?

    regards
    Jorge
     
  14. mike_p

    mike_p Member

    Its visible as the first 12 characters of the encrypted password.
    If you look at the test I ran above, the encrypted password is shown as
    $1$12345678$OF2XnrBgffDDN5xlSzPhb.
    the first 12 characters ($1$12345678$) = the salt.
     
  15. jariasca

    jariasca Member

    Hi, thanks

    I understand all process. everytime I change password in ISPCONFIG it will generate a new <salt> for each account and then crypt the password so I think that if the <salt> is dynamic generated everytime I change the password it needs to be stored so that I can later retrieve it from a file or sql table to make the encryption and then compare passwords to make the login.

    How does courier makes the login?

    That's my question

    thanks again,
    -Jorge
     
    Last edited: Apr 29, 2010
  16. jariasca

    jariasca Member

    Hi Mike_P

    Ooops, I'm Sorry for asking questions, I already got it, it was always in the password.

    $1$p_vgRwIS$TnJucOgRwJsjUBpNdaut9.

    So I just need to read the <salt> from the password extact it and crypt it with sql encrypt and tha form password to compare.

    Regards
    Jorge
     
  17. till

    till Super Moderator

    If you want to write a new interface, you should consider to use the remting API instead of manipulating the data in the sql tables directly. This will keep your interface compatible to new ispconfig releases.
     
  18. YankeeDoodle

    YankeeDoodle New Member

    sorry if my question is sounding dumb, but could somebody write me a few lines of code in PHP to get the correct password for ISPCONFIG for clients:
    Like:
    $password = "something";
    line 1: .......................
    line 2: .......................
    etc. etc.
    $result = "xxxxxxxxxxxxxxxxxxxx"
    Thanks for your help.
     
  19. till

    till Super Moderator

    Code:
    public function crypt_password($cleartext_password) {
            $salt="$1$";
            $base64_alphabet='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
            for ($n=0;$n<8;$n++) {
                $salt.=$base64_alphabet[mt_rand(0, 63)];
            }
            $salt.="$";
            return crypt($cleartext_password, $salt);
        }
     
    laptop_user likes this.
  20. YankeeDoodle

    YankeeDoodle New Member

    Thank you, Till. :)
     

Share This Page