Hi, as promised here is my patch for more secure passwords. It now uses a correct md5 encryption and a better salt (more secure) for the standard encryption (DES). Also .htpasswd files are generated with MD5 encryption (if enabled). This is completely new. The mailuser backend now also supports MD5 encryption. This is completely new too. I hope I did not make any mistakes. At least I think the code works good. To patch your installation you have to do the following: copy the file in the attachment to /home/admispconfig/ispconfig run the command: patch --dry-run -p1 -i secure-passwords.txt If there was NO error run the command: patch -p1 -i secure-passwords.txt That's it! Before I forget it: DON'T TRUST ANY EXTERNAL CODE WITHOUT PROOF READING IT. (And not in any case if it changes something on encryption functions.) Bernhard
Hi Bernhard, thanks for the patch! We will review it and merge it in SVN if everything works as expected. Till
hello, does that code also affect the passwords for the web-login ( stored in mysql isp_isp_kunde:webadmin_passwort ) ? those are anyway more vulnerable than the ones in /etc/shadow because mysql-access rights are enough to read them. ciao arnim
These are totally different passwords. The password in the field isp_isp_kunde:webadmin_passwort is an md5 encrypted password of the client for the ISPConfig web interface. Do not mix them up with the /linux) user passwords this thread is about. The client passwords are encrypted with totally different algorithms so they are not affected bythe issue described in this thread. Also we can not store passwords in /etc/shadow that we need for authentication in the web interface.
