I've successfuly instaled ISPConfig 2.2.0 on Debian Sarge 3.1. Problem is, I still have shadow passwords in /etc/shadow instead of MD5. Release notes says version 2.2.0 has support for MD5. How do I activate MD5 passwords?
I think this is somehow related to that problem: http://www.howtoforge.com/forums/showthread.php?t=3000 Bernhard
In /home/admispconfig/ispconfig/lib/classes/ispconfig_isp_user.lib.php find (line 109 - 113) and change it to: It works for me.
And the other problem can be fixed int the same way but you have to be a bit more careful because you have to check if your system supports md5 crypted password or not. I would really love it if your patch would be integrated into the next version. Bernhard
After looking into the whole source code I think I am able to provide a security patch for these issues. This patch will include your patch (above - but I will go a step further) and a patch for .htpasswd files. Does someone else need that patch? Bernhard
I think we all need that, therefor it should be accepted in next release. Post the patch when you're done. Cheers
Do you like to join the ISPConfig development team? http://www.howtoforge.com/forums/showthread.php?t=135 It will make things easier for us if patches where integrated directly in the latest SVN.
ISPConfig implements the crypt-md5. It is a more secure alternative of the plain crypt function. Your implementation is pure md5 and not a replacement for the crypt-md5 that we implemented. But currently the variable content of $go_info["server"]["password_hash"] is misleading in config.inc.php What do you think of this patch: Code: if($go_info["server"]["password_hash"] == 'crypt') { $passwort = "||||:".crypt($user["user_passwort"],substr($user["user_passwort"],0,2)); } elseif ($go_info["server"]["password_hash"] == 'crypt-md5') { $passwort = "||||:". crypt(stripslashes($user["user_passwort"]), "$1$".md5(time()) ); } else { $passwort = "||||:". md5(stripslashes($user["user_passwort"])); } Also you will have to change this twice, once in the user_insert function and once in the user_update function. Both are in the same file.
Not at the moment - sorry. I am happy to help out with patches (even agains a [public readable] SVN repository using svn diff) but I have no time to develop new features or something like that. Anyway I am able to help with small patches that are needed to have an even better ISPConfig. Bernhard
Code: $passwort = "||||:". crypt(stripslashes($user["user_passwort"]), "$1$".md5(time()) ); } This is NOT more secure than a true md5 with a correct salt. By the way: a crypt salt only consists of two (2) chars. Don't forget that. Like this one (not tested - sorry): Code: $passwort = "||||:". md5("$1$md5(time())."$".stripslashes($user["user_passwort"])); A correct salt for md5 has a length of 12 chars and 8 of those 12 chars should be random. A salt always starts with $1$ and ends with $. So this is a correct salt "$1$xxxxxxxx$". I'll provide a patch that uses correct salts. Just look into it or even better look into some description of md5 in passwd/shadow files. Bernhard
Above I wrote md5(). I actually meant to use the md5 version of crypt. I also verified that your md5 encryption works but in general random data is better for encryptions than time data. It seems that PHP5 does not care about the missing $ at the end of the salt. And it does not care about the too long salt. But I think you really should use a right length/right formed salt. Bernhard
