support CRYPT-SHA512
This commit is contained in:
Roland Gruber
parent
1e60d37775
commit
15984ad7f1
|
|
@ -162,12 +162,12 @@ function ntPassword($password) {
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Returns the hash value of a plain text password
|
* Returns the hash value of a plain text password.
|
||||||
* the hash algorithm depends on the configuration file
|
* @see getSupportedHashTypes()
|
||||||
*
|
*
|
||||||
* @param string $password the password string
|
* @param string $password the password string
|
||||||
* @param boolean $enabled marks the hash as enabled/disabled (e.g. by prefixing "!")
|
* @param boolean $enabled marks the hash as enabled/disabled (e.g. by prefixing "!")
|
||||||
* @param string $hashType password hash type (CRYPT, SHA, SSHA, MD5, SMD5, PLAIN)
|
* @param string $hashType password hash type (CRYPT, CRYPT-SHA512, SHA, SSHA, MD5, SMD5, PLAIN)
|
||||||
* @return string the password hash
|
* @return string the password hash
|
||||||
*/
|
*/
|
||||||
function pwd_hash($password, $enabled = true, $hashType = 'SSHA') {
|
function pwd_hash($password, $enabled = true, $hashType = 'SSHA') {
|
||||||
|
|
@ -188,12 +188,14 @@ function pwd_hash($password, $enabled = true, $hashType = 'SSHA') {
|
||||||
case 'CRYPT':
|
case 'CRYPT':
|
||||||
$hash = "{CRYPT}" . crypt($password);
|
$hash = "{CRYPT}" . crypt($password);
|
||||||
break;
|
break;
|
||||||
|
case 'CRYPT-SHA512':
|
||||||
|
$hash = "{CRYPT}" . crypt($password, '$6$' . generateSalt(16));
|
||||||
|
break;
|
||||||
case 'MD5':
|
case 'MD5':
|
||||||
$hash = "{MD5}" . base64_encode(convertHex2bin(md5($password)));
|
$hash = "{MD5}" . base64_encode(convertHex2bin(md5($password)));
|
||||||
break;
|
break;
|
||||||
case 'SMD5':
|
case 'SMD5':
|
||||||
$salt0 = substr(pack("h*", md5($rand)), 0, 8);
|
$salt = generateSalt(4);
|
||||||
$salt = substr(pack("H*", md5($salt0 . $password)), 0, 4);
|
|
||||||
$hash = "{SMD5}" . base64_encode(convertHex2bin(md5($password . $salt)) . $salt);
|
$hash = "{SMD5}" . base64_encode(convertHex2bin(md5($password . $salt)) . $salt);
|
||||||
break;
|
break;
|
||||||
case 'SHA':
|
case 'SHA':
|
||||||
|
|
@ -204,8 +206,7 @@ function pwd_hash($password, $enabled = true, $hashType = 'SSHA') {
|
||||||
break;
|
break;
|
||||||
case 'SSHA':
|
case 'SSHA':
|
||||||
default: // use SSHA if the setting is invalid
|
default: // use SSHA if the setting is invalid
|
||||||
$salt0 = substr(pack("h*", md5($rand)), 0, 8);
|
$salt = generateSalt(4);
|
||||||
$salt = substr(pack("H*", sha1($salt0 . $password)), 0, 4);
|
|
||||||
$hash = "{SSHA}" . base64_encode(convertHex2bin(sha1($password . $salt)) . $salt);
|
$hash = "{SSHA}" . base64_encode(convertHex2bin(sha1($password . $salt)) . $salt);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
@ -214,6 +215,36 @@ function pwd_hash($password, $enabled = true, $hashType = 'SSHA') {
|
||||||
else return $hash;
|
else return $hash;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns the list of supported hash types (e.g. SSHA).
|
||||||
|
*
|
||||||
|
* @return array hash types
|
||||||
|
*/
|
||||||
|
function getSupportedHashTypes() {
|
||||||
|
if (version_compare(phpversion(), '5.3.2') < 0) {
|
||||||
|
// CRYPT-SHA512 requires PHP 5.3.2 or higher
|
||||||
|
return array('CRYPT', 'SHA', 'SSHA', 'MD5', 'SMD5', 'PLAIN');
|
||||||
|
}
|
||||||
|
return array('CRYPT', 'CRYPT-SHA512', 'SHA', 'SSHA', 'MD5', 'SMD5', 'PLAIN');
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Calculates a password salt of the given legth.
|
||||||
|
*
|
||||||
|
* @param int $len salt length
|
||||||
|
* @return String the salt string
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
function generateSalt($len) {
|
||||||
|
$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890./';
|
||||||
|
$salt = '';
|
||||||
|
for ($i = 0; $i < $len; $i++) {
|
||||||
|
$pos= mt_rand(0, strlen($chars)-1);
|
||||||
|
$salt .= $chars{$pos};
|
||||||
|
}
|
||||||
|
return $salt;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Marks an password hash as enabled and returns the new hash string
|
* Marks an password hash as enabled and returns the new hash string
|
||||||
*
|
*
|
||||||
|
|
|
||||||
|
|
@ -288,10 +288,9 @@ class inetOrgPerson extends baseModule implements passwordService {
|
||||||
// add password hash type if posixAccount is inactive
|
// add password hash type if posixAccount is inactive
|
||||||
$confActiveUnixModules = array_merge($_SESSION['conf_config']->get_AccountModules('user'), $_SESSION['conf_config']->get_AccountModules('host'), $_SESSION['conf_config']->get_AccountModules('group'));
|
$confActiveUnixModules = array_merge($_SESSION['conf_config']->get_AccountModules('user'), $_SESSION['conf_config']->get_AccountModules('host'), $_SESSION['conf_config']->get_AccountModules('group'));
|
||||||
if (!in_array('posixAccount', $confActiveUnixModules) && !in_array('posixGroup', $confActiveUnixModules)) {
|
if (!in_array('posixAccount', $confActiveUnixModules) && !in_array('posixGroup', $confActiveUnixModules)) {
|
||||||
$options = array("CRYPT", "SHA", "SSHA", "MD5", "SMD5", "PLAIN");
|
|
||||||
$optionsSelected = array('SSHA');
|
$optionsSelected = array('SSHA');
|
||||||
$hashOption = new htmlTable();
|
$hashOption = new htmlTable();
|
||||||
$hashOption->addElement(new htmlTableExtendedSelect('posixAccount_pwdHash', $options, $optionsSelected, _("Password hash type"), 'pwdHash'));
|
$hashOption->addElement(new htmlTableExtendedSelect('posixAccount_pwdHash', getSupportedHashTypes(), $optionsSelected, _("Password hash type"), 'pwdHash'));
|
||||||
$configContainer->addElement($hashOption);
|
$configContainer->addElement($hashOption);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -772,7 +771,7 @@ class inetOrgPerson extends baseModule implements passwordService {
|
||||||
),
|
),
|
||||||
'pwdHash' => array(
|
'pwdHash' => array(
|
||||||
"Headline" => _("Password hash type"),
|
"Headline" => _("Password hash type"),
|
||||||
"Text" => _("LAM supports CRYPT, SHA, SSHA, MD5 and SMD5 to generate the hash value of passwords. SSHA and CRYPT are the most common but CRYPT does not support passwords greater than 8 letters. We do not recommend to use plain text passwords.")
|
"Text" => _("LAM supports CRYPT, CRYPT-SHA512, SHA, SSHA, MD5 and SMD5 to generate the hash value of passwords. SSHA and CRYPT are the most common but CRYPT does not support passwords greater than 8 letters. We do not recommend to use plain text passwords.")
|
||||||
),
|
),
|
||||||
'o' => array(
|
'o' => array(
|
||||||
"Headline" => _("Organisation"), 'attr' => 'o',
|
"Headline" => _("Organisation"), 'attr' => 'o',
|
||||||
|
|
|
||||||
|
|
@ -158,7 +158,7 @@ class posixAccount extends baseModule implements passwordService {
|
||||||
$return['selfServiceReadOnlyFields'] = array('cn', 'loginShell');
|
$return['selfServiceReadOnlyFields'] = array('cn', 'loginShell');
|
||||||
// self service configuration settings
|
// self service configuration settings
|
||||||
$selfServiceContainer = new htmlTable();
|
$selfServiceContainer = new htmlTable();
|
||||||
$selfServiceContainer->addElement(new htmlTableExtendedSelect('posixAccount_pwdHash', array("CRYPT", "SHA", "SSHA", "MD5", "SMD5", "PLAIN"),
|
$selfServiceContainer->addElement(new htmlTableExtendedSelect('posixAccount_pwdHash', getSupportedHashTypes(),
|
||||||
array('SSHA'), _("Password hash type")));
|
array('SSHA'), _("Password hash type")));
|
||||||
$selfServiceContainer->addElement(new htmlHelpLink('pwdHash', get_class($this)));
|
$selfServiceContainer->addElement(new htmlHelpLink('pwdHash', get_class($this)));
|
||||||
$return['selfServiceSettings'] = $selfServiceContainer;
|
$return['selfServiceSettings'] = $selfServiceContainer;
|
||||||
|
|
@ -192,7 +192,7 @@ class posixAccount extends baseModule implements passwordService {
|
||||||
$return['config_options']['host'] = $configHostContainer;
|
$return['config_options']['host'] = $configHostContainer;
|
||||||
$configOptionsContainer = new htmlTable();
|
$configOptionsContainer = new htmlTable();
|
||||||
$configOptionsContainer->addElement(new htmlSubTitle(_('Options')), true);
|
$configOptionsContainer->addElement(new htmlSubTitle(_('Options')), true);
|
||||||
$configOptionsContainer->addElement(new htmlTableExtendedSelect('posixAccount_pwdHash', array("CRYPT", "SHA", "SSHA", "MD5", "SMD5", "PLAIN"),
|
$configOptionsContainer->addElement(new htmlTableExtendedSelect('posixAccount_pwdHash', getSupportedHashTypes(),
|
||||||
array('SSHA'), _("Password hash type"), 'pwdHash'), true);
|
array('SSHA'), _("Password hash type"), 'pwdHash'), true);
|
||||||
$configOptionsContainer->addElement(new htmlTableExtendedInputCheckbox('posixAccount_primaryGroupAsSecondary', false, _('Set primary group as memberUid'), 'primaryGroupAsSecondary'));
|
$configOptionsContainer->addElement(new htmlTableExtendedInputCheckbox('posixAccount_primaryGroupAsSecondary', false, _('Set primary group as memberUid'), 'primaryGroupAsSecondary'));
|
||||||
$return['config_options']['all'] = $configOptionsContainer;
|
$return['config_options']['all'] = $configOptionsContainer;
|
||||||
|
|
@ -350,7 +350,7 @@ class posixAccount extends baseModule implements passwordService {
|
||||||
),
|
),
|
||||||
'pwdHash' => array(
|
'pwdHash' => array(
|
||||||
"Headline" => _("Password hash type"),
|
"Headline" => _("Password hash type"),
|
||||||
"Text" => _("LAM supports CRYPT, SHA, SSHA, MD5 and SMD5 to generate the hash value of passwords. SSHA and CRYPT are the most common but CRYPT does not support passwords greater than 8 letters. We do not recommend to use plain text passwords.")
|
"Text" => _("LAM supports CRYPT, CRYPT-SHA512, SHA, SSHA, MD5 and SMD5 to generate the hash value of passwords. SSHA and CRYPT are the most common but CRYPT does not support passwords greater than 8 letters. We do not recommend to use plain text passwords.")
|
||||||
),
|
),
|
||||||
'uidNumber' => array(
|
'uidNumber' => array(
|
||||||
"Headline" => _("UID number"), 'attr' => 'uidNumber',
|
"Headline" => _("UID number"), 'attr' => 'uidNumber',
|
||||||
|
|
|
||||||
|
|
@ -418,7 +418,7 @@ class posixGroup extends baseModule implements passwordService {
|
||||||
),
|
),
|
||||||
'pwdHash' => array(
|
'pwdHash' => array(
|
||||||
"Headline" => _("Password hash type"),
|
"Headline" => _("Password hash type"),
|
||||||
"Text" => _("LAM supports CRYPT, SHA, SSHA, MD5 and SMD5 to generate the hash value of passwords. SSHA and CRYPT are the most common but CRYPT does not support passwords greater than 8 letters. We do not recommend to use plain text passwords.")
|
"Text" => _("LAM supports CRYPT, CRYPT-SHA512, SHA, SSHA, MD5 and SMD5 to generate the hash value of passwords. SSHA and CRYPT are the most common but CRYPT does not support passwords greater than 8 letters. We do not recommend to use plain text passwords.")
|
||||||
),
|
),
|
||||||
'cn' => array(
|
'cn' => array(
|
||||||
"Headline" => _("Group name"), 'attr' => 'cn',
|
"Headline" => _("Group name"), 'attr' => 'cn',
|
||||||
|
|
@ -445,7 +445,7 @@ class posixGroup extends baseModule implements passwordService {
|
||||||
$return = parent::get_configOptions($scopes, $allScopes);
|
$return = parent::get_configOptions($scopes, $allScopes);
|
||||||
// display password hash option only if posixAccount module is not used
|
// display password hash option only if posixAccount module is not used
|
||||||
if (!isset($allScopes['posixAccount'])) {
|
if (!isset($allScopes['posixAccount'])) {
|
||||||
$return[0]->addElement(new htmlTableExtendedSelect('posixAccount_pwdHash', array("CRYPT", "SHA", "SSHA", "MD5", "SMD5", "PLAIN"), array('SSHA'), _("Password hash type"), 'pwdHash'));
|
$return[0]->addElement(new htmlTableExtendedSelect('posixAccount_pwdHash', getSupportedHashTypes(), array('SSHA'), _("Password hash type"), 'pwdHash'));
|
||||||
}
|
}
|
||||||
return $return;
|
return $return;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue