Hi all, I'm Developing a new management interface for my postfix for inhouse use. does anybody know how is the ispconfig 3 password encrypted. I'm using coldfusion 8 thanks Jorge
Yahooo.. An other CF8 users. I think that ISPconfig is using PHP's md5 as encryption, but to make sure you better wait for one of the developers to answer your question.
The passwords in ispconfig are encrypted with "crypt" and a salt, thats the standard encryption on all Linux systems and ISPConfig uses this too.
Hi, is there a way to get an example code nevermind if it is in php, or maybe you can tell me where in the source code of the ispconfig 3 can I see this encrpytion.
Now I'm confused! Looking at the source code in /usr/local/ispconfig/interface/web/client/client_edit.php I see Code: $sql = "UPDATE sys_user SET passwort = md5('$password') WHERE client_id = $client_id"; That suggests that the system users' passwords are encrypted by mysql applying md5??
md5 is a fallback mechanism supported only for the sys_user table. Normally all passwords for all users (ssh, email, ftp and sys_user) are encrypted with crypt. Take a look at the /usr/local/ispconfig/interface/lib/classes/tform.inc.php file which handles the encryption for all password form fields.
Ok I got more or less how is done What I think is this got the salt '$1$' and make a loop 12 times adding the salt + a random character between 64 - 126 (ascii) example $1$ABCDE...... After I got this salt I need to crypt the salt + a key how can I get that key? please correct me if I'm wrong Jorge Code: if($field['formtype'] == 'PASSWORD') { if(isset($field['encryption']) && $field['encryption'] == 'CRYPT') { $salt="$1$"; for ($n=0;$n<11;$n++) { $salt.=chr(mt_rand(64,126)); } $salt.="$"; // $salt = substr(md5(time()),0,2); $record[$key] = crypt($record[$key],$salt); $sql_update .= "`$key` = '".$app->db->quote($record[$key])."', ";
What do you mean by getting the "key"? For my understanding the key is the "password", the salt is just combined with it when crypting to act against rainbowtables. So what you just to to verify the crendtials is after fetching the key / password, rebuild the hash (the salt can bea read from the existing crypt hash) with the given key and compare both.
Having looked a the code (quoted by jariasca) there is something I don't understand. As far as I know using the MD5 algorithm for crypt (as it appears to be doing) requires a 12 character salt starting with $1$. The code above appears to create a salt starting with $1$, then 12 characters then a '$' - which makes the salt 16 characters? Surely the loop should only add 8 characters? I presume CRYPT will just ignore any extra characters and so won't generate an error.
The encryptin is absolutely fine like it is implemented now. The $1$ is not part of the salt, it is a prefix that tells crypt which kind of encryption the password has.
For future reference the salt should only be 12 characters including the '$1$' and the final '$' is optional. To confirm it I tested with a simple little php script: Code: <? $salt = '$1$12345678abcd$'; $res = crypt('whatever',$salt) ; echo "salt = $salt\n"; echo "result = $res\n"; $salt = '$1$12345678$'; $res = crypt('whatever',$salt) ; echo "salt = $salt\n"; echo "result = $res\n"; ?> ---------------- result.... ---------------- salt = $1$12345678abcd$ result = $1$12345678$OF2XnrBgffDDN5xlSzPhb. salt = $1$12345678 result = $1$12345678$OF2XnrBgffDDN5xlSzPhb. ie the extra four characters were simply ignored. There is a good description of the MD5 implemenation of crypt in the man page for 'crypt' in the GNU EXTENSION section.
Ok know I understand the process, is crypt (<password>, <salt>) Salt was generated dynamically here Code: $salt="$1$"; for ($n=0;$n<11;$n++) { $salt.=chr(mt_rand(64,126)); } Now I'm making a new interface for my company and I need to make a login using same username and password from email accounts in ISPCONFIG. If the <salt> is dynamically generated I think it has to be store somewhere in the database or a text file in my server so that I can get it to crypt the password plus the salt and compare with the one in the IPSCONFIG database so I can log in. Where is the salt stored? regards Jorge
Its visible as the first 12 characters of the encrypted password. If you look at the test I ran above, the encrypted password is shown as $1$12345678$OF2XnrBgffDDN5xlSzPhb. the first 12 characters ($1$12345678$) = the salt.
Hi, thanks I understand all process. everytime I change password in ISPCONFIG it will generate a new <salt> for each account and then crypt the password so I think that if the <salt> is dynamic generated everytime I change the password it needs to be stored so that I can later retrieve it from a file or sql table to make the encryption and then compare passwords to make the login. How does courier makes the login? That's my question thanks again, -Jorge
Hi Mike_P Ooops, I'm Sorry for asking questions, I already got it, it was always in the password. $1$p_vgRwIS$TnJucOgRwJsjUBpNdaut9. So I just need to read the <salt> from the password extact it and crypt it with sql encrypt and tha form password to compare. Regards Jorge
If you want to write a new interface, you should consider to use the remting API instead of manipulating the data in the sql tables directly. This will keep your interface compatible to new ispconfig releases.
sorry if my question is sounding dumb, but could somebody write me a few lines of code in PHP to get the correct password for ISPCONFIG for clients: Like: $password = "something"; line 1: ....................... line 2: ....................... etc. etc. $result = "xxxxxxxxxxxxxxxxxxxx" Thanks for your help.
Code: public function crypt_password($cleartext_password) { $salt="$1$"; $base64_alphabet='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'; for ($n=0;$n<8;$n++) { $salt.=$base64_alphabet[mt_rand(0, 63)]; } $salt.="$"; return crypt($cleartext_password, $salt); }