Salt generation for CRYPT passwords

Discussion in 'Developers' Forum' started by papyHerman, Mar 8, 2010.

  1. papyHerman

    papyHerman New Member

    Due to errors in parsing authorization file, i've rewrited some part of PHP:
    There is a purposed patch:
    (same with interface/lib/classes/tform.inc.php, interface/lib/classes/remoting_lib.inc.php and this: password_reset.php)
    [PRE]
    +++ ispconfig3_install_felix/interface/web/login/password_reset.php 2010-03-08 13:28:52.000000000 +0000
    @@ -53,9 +53,13 @@

    if($client['client_id'] > 0) {
    $new_password = md5 (uniqid (rand()));
    + $saltpack=array[(]"a","b","c","d","e","f","g","h","i","j","k","l","m","n",
    + "o","p","q","r","s","t","u","v","w","x","y","z","A","B","C","D","E",
    + "F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V",
    + "W","X","Y","Z","0","1","2","3","4","5","6","7","8","9",".","/");
    $salt="$1$";
    for ($n=0;$n<11;$n++) {
    - $salt.=chr(mt_rand(64,126));
    + $salt.=$saltpack[rand(0,63)];
    }
    $salt.="$";
    $new_password_encrypted = crypt($new_password,$salt);
    [/PRE]
     
  2. papyHerman

    papyHerman New Member

    Due to errors in parsing authorization file, i've rewrited some part of PHP:
    There is a purposed patch:
    (same with interface/lib/classes/tform.inc.php, interface/lib/classes/remoting_lib.inc.php and this: password_reset.php)
    <PRE>
    +++ ispconfig3_install_felix/interface/web/login/password_reset.php 2010-03-08 13:28:52.000000000 +0000
    @@ -53,9 +53,13 @@

    if($client['client_id'] > 0) {
    $new_password = md5 (uniqid (rand()));
    + $saltpack=array[(]"a","b","c","d","e","f","g","h","i","j","k","l","m","n",
    + "o","p","q","r","s","t","u","v","w","x","y","z","A","B","C","D","E",
    + "F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V",
    + "W","X","Y","Z","0","1","2","3","4","5","6","7","8","9",".","/");
    $salt="$1$";
    for ($n=0;$n<11;$n++) {
    - $salt.=chr(mt_rand(64,126));
    + $salt.=$saltpack[rand(0,63)];
    }
    $salt.="$";
    $new_password_encrypted = crypt($new_password,$salt);
    </PRE>
     
  3. till

    till Super Moderator

    Which ISPConfig version did you use? The fix that has been applied to the salt generation of the normal form library a few weeks ago and which gets released as part of ISPConfig 3.0.2 was not applied to the corresponding function of the remoting lib and the password reset function. I applied the changes to the remoting lib and password reset now too to fix the issue you pointed out, please check if it works now for you.
     
  4. papyHerman

    papyHerman New Member

    I've encountered problems with old version 2, but recently,
    I downloaded version 3.0.1.6 on 5 march.
    Ok. I will download last version and try an updrade...
     
  5. papyHerman

    papyHerman New Member

    The currently available version is 3.0.1.6, How do I get more recent version?
     
  6. till

    till Super Moderator

    The changes are in SVN. If your system is used in production, you should wait for the release 0f the 3.0.2 final. If its a test system, update the installation to svn by running:

    ispconfig_update.sh

    and then choose svn as update source.
     
  7. papyHerman

    papyHerman New Member

    rand 64-126

    I've downloaded the version ISPConfig-3.0.2-rc1.tar.gz
    and a little ``find . -type f -print0 | xargs -0 grep -Hi rand.*64.126''
    show always 3 files: web/login/password_reset.php,
    lib/classes/tform.inc.php and lib/classes/remoting_lib.inc.php.

    There are a problem with many characters between 64 and 126:
    pipe, backslash, and so on.

    This could make problem when parsing some config files,
    like postfix's userdb...

    At all to obtain 63 characters as ``saltpack'', you don't use numbers.
     
  8. till

    till Super Moderator

    As I posted above, the code has been changed in SVN and not in RC1. The Code in SVN uses only characters for salts that are ok.

    You should not rely on find. Find can neither tell you if a bit of code is used nor if its commented out.
     

Share This Page