I just started back to playing with linux again, I must say I enjoy all the support available at this site, and there is some heavy brain power on the ispconfig team So anyway I did the apt-get updates and installed the stable version of the latest ispconfig build, but one thing does worry me. The login on port 81 is secure to the best of my knowledge. However when I do login and access Web-Ftp and type in a password like "password" I am able to login. Fair enough I set it up that way. When I type "passwor" It boots me out and asks me to try again. However when I type password1 or password123 it lets me login. Sorry I'm still trying to determine if it is something I missed during the setup.
Yeah I cleared my cache and cookies and removed anything checked in autocompete for IE. I then checked to see if it was a weird browser thing so I ran the password test with Firefox and the same problem happened.
ISPCOnfig uses by default the linux function "crypt" to encrypt the passwords. The old version of this encryption uses only the first 8 chars of a password, so "password" and "password12345" are the same. ISPConfig also supports the newer password encryption which is not length limited to 8 chars. To enable this encryption, please change the line: $go_info["server"]["password_hash"] = 'crypt'; // 'crypt' = crypt; 'md5' = crypt-md5 to: $go_info["server"]["password_hash"] = 'md5'; // 'crypt' = crypt; 'md5' = crypt-md5 in the file /home/admispconfig/ispconfig/lib/config.inc.php Every new or updated password will use the new encryption then.
Is this 'crypt' encryption function the default used by the last versions of ISPConfig ? I've installed version 2.2.12 and was having issues with password length until I found this thread. By default, the fresh installation was using the 'crypt function'. Shouldn't it use the newer one (i.e. md5) ? Thanks !!
The default will be the setting that works on all suppoerted linux distributions, and that is the plain old crypt function. We will switch to md5 later when we can make sure that it works on all linux distributions flawlessly. You can change this setting for your installation to md5, thats why it is configurable in config.inc.php.
