[2.2.0] My patch for more secure passwords

Discussion in 'General' started by bjmg, Mar 10, 2006.

  1. bjmg

    bjmg New Member

    Hi,

    as promised here is my patch for more secure passwords.
    It now uses a correct md5 encryption and a better salt (more secure) for the standard encryption (DES).
    Also .htpasswd files are generated with MD5 encryption (if enabled). This is completely new.
    The mailuser backend now also supports MD5 encryption. This is completely new too.

    I hope I did not make any mistakes. At least I think the code works good.

    To patch your installation you have to do the following:
    copy the file in the attachment to /home/admispconfig/ispconfig
    run the command: patch --dry-run -p1 -i secure-passwords.txt
    If there was NO error run the command:
    patch -p1 -i secure-passwords.txt
    That's it!

    Before I forget it:
    DON'T TRUST ANY EXTERNAL CODE WITHOUT PROOF READING IT.
    (And not in any case if it changes something on encryption functions.)

    Bernhard
     

    Attached Files:

  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Hi Bernhard,

    thanks for the patch! We will review it and merge it in SVN if everything works as expected.

    Till
     
  3. olaus

    olaus New Member

    hello,

    does that code also affect the passwords for the web-login ( stored in mysql isp_isp_kunde:webadmin_passwort ) ?
    those are anyway more vulnerable than the ones in /etc/shadow because mysql-access rights are enough to read them.

    ciao
    arnim

     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    These are totally different passwords.

    The password in the field isp_isp_kunde:webadmin_passwort is an md5 encrypted password of the client for the ISPConfig web interface. Do not mix them up with the /linux) user passwords this thread is about.

    The client passwords are encrypted with totally different algorithms so they are not affected bythe issue described in this thread. Also we can not store passwords in /etc/shadow that we need for authentication in the web interface.
     

Share This Page