Password Worry

Discussion in 'Installation/Configuration' started by newblinux, Nov 24, 2006.

  1. newblinux

    newblinux New Member

    I just started back to playing with linux again, I must say I enjoy all the support available at this site, and there is some heavy brain power on the ispconfig team

    So anyway I did the apt-get updates and installed the stable version of the latest ispconfig build, but one thing does worry me.

    The login on port 81 is secure to the best of my knowledge. However when I do login and access Web-Ftp and type in a password like "password" I am able to login. Fair enough I set it up that way. When I type "passwor" It boots me out and asks me to try again. However when I type password1 or password123 it lets me login. Sorry I'm still trying to determine if it is something I missed during the setup.:confused:
     
  2. sjau

    sjau Local Meanie Moderator

    It shouldn't act the way it does for you... maybe falko or till can tell you more on that...
     
  3. newblinux

    newblinux New Member

    Yeah

    I cleared my cache and cookies and removed anything checked in autocompete for IE.
    I then checked to see if it was a weird browser thing so I ran the password test with Firefox and the same problem happened. :confused:
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPCOnfig uses by default the linux function "crypt" to encrypt the passwords. The old version of this encryption uses only the first 8 chars of a password, so "password" and "password12345" are the same.

    ISPConfig also supports the newer password encryption which is not length limited to 8 chars. To enable this encryption, please change the line:

    $go_info["server"]["password_hash"] = 'crypt'; // 'crypt' = crypt; 'md5' = crypt-md5

    to:

    $go_info["server"]["password_hash"] = 'md5'; // 'crypt' = crypt; 'md5' = crypt-md5

    in the file /home/admispconfig/ispconfig/lib/config.inc.php

    Every new or updated password will use the new encryption then.
     
  5. ./w

    ./w New Member

    Is this 'crypt' encryption function the default used by the last versions of ISPConfig ?
    I've installed version 2.2.12 and was having issues with password length until I found this thread. By default, the fresh installation was using the 'crypt function'.

    Shouldn't it use the newer one (i.e. md5) ?

    Thanks !!
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    The default will be the setting that works on all suppoerted linux distributions, and that is the plain old crypt function. We will switch to md5 later when we can make sure that it works on all linux distributions flawlessly.

    You can change this setting for your installation to md5, thats why it is configurable in config.inc.php.
     

Share This Page