Blowfish update
This commit is contained in:
Roland Gruber
parent
2b80daee2d
commit
9fd6df2f03
|
|
@ -1,3 +1,9 @@
|
|||
??? 0.4.2
|
||||
- added config wizard
|
||||
- MHash is only needed for PHP < 4.3
|
||||
- use Blowfish for encryption instead of MCrypt
|
||||
|
||||
|
||||
29.12.2003 0.4.1
|
||||
|
||||
- better error handling at login
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ Installation Instructions for LAM
|
|||
1. Requirements
|
||||
|
||||
- Apache webserver (SSL optional) with installed PHP-Module (PHP-Module with
|
||||
ldap, gettext, mcrypt, mhash)
|
||||
ldap, gettext, mcrypt+mhash optional)
|
||||
- Perl
|
||||
- Openldap (>2.0)
|
||||
- A web browser :-)
|
||||
|
|
|
|||
|
|
@ -80,8 +80,9 @@ LAM - Readme
|
|||
|
||||
LAM needs to store your LDAP username + password in the session. The session
|
||||
files are saved in sess/ and are accessible only by the web server. To increase
|
||||
security username and password are encrypted with AES (256 bit). The key and iv
|
||||
are generated at random when you log in. They are stored in two cookies.
|
||||
security username and password are encrypted with MCrypt/AES or Blowfish.
|
||||
The key and iv are generated at random when you log in. They are stored in two
|
||||
cookies.
|
||||
|
||||
|
||||
Have fun!
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@
|
|||
4. LDAP-password protection
|
||||
|
||||
Your LDAP-password is stored encrypted in the session file. The key and IV to decrypt
|
||||
it are stored in two cookies. We use AES to encrypt the passwort.
|
||||
it are stored in two cookies. We use MCrypt/AES or Blowfish to encrypt the password.
|
||||
|
||||
|
||||
5. Protection of new user passwords
|
||||
|
|
|
|||
|
|
@ -856,7 +856,7 @@ class accountContainer {
|
|||
|
||||
function lamdaemon($commands) {
|
||||
// get username and password of the current lam-admin
|
||||
$ldap_q = $_SESSION[$this->ldap]->decrypt();
|
||||
$ldap_q = $_SESSION[$this->ldap]->decrypt_login();
|
||||
/* $towrite has the following syntax:
|
||||
* admin-username, admin-password, owner of homedir, 'home', operation='add'
|
||||
* use escapeshellarg to make exec() shell-safe
|
||||
|
|
@ -1084,7 +1084,7 @@ function getquotas($users) {
|
|||
if (is_array($users)) $return = $users;
|
||||
else $return[0] = $users;
|
||||
// get username and password of the current lam-admin
|
||||
$ldap_q = $_SESSION['ldap']->decrypt();
|
||||
$ldap_q = $_SESSION['ldap']->decrypt_login();
|
||||
/* $towrite has the following syntax:
|
||||
* admin-username, admin-password, account with quotas, 'quota', operation='get', type=user|group
|
||||
* use escapeshellarg to make exec() shell-safe
|
||||
|
|
@ -1182,7 +1182,7 @@ function getquotas($users) {
|
|||
*/
|
||||
function setquotas($values2) {
|
||||
// get username and password of the current lam-admin
|
||||
$ldap_q = $_SESSION['ldap']->decrypt();
|
||||
$ldap_q = $_SESSION['ldap']->decrypt_login();
|
||||
/* $towrite has the following syntax:
|
||||
* admin-username, admin-password, account with quotas, 'quota', operation='set', type=user|group
|
||||
* use escapeshellarg to make exec() shell-safe
|
||||
|
|
@ -1273,7 +1273,7 @@ function setquotas($values2) {
|
|||
*/
|
||||
function remquotas($users, $type) {
|
||||
// get username and password of the current lam-admin
|
||||
$ldap_q = $_SESSION['ldap']->decrypt();
|
||||
$ldap_q = $_SESSION['ldap']->decrypt_login();
|
||||
/* $towrite has the following syntax:
|
||||
* admin-username, admin-password, account with quotas, 'quota', operation='rem', type=user|group
|
||||
* use escapeshellarg to make exec() shell-safe
|
||||
|
|
@ -1338,7 +1338,7 @@ function remquotas($users, $type) {
|
|||
*/
|
||||
function addhomedir($users) {
|
||||
// get username and password of the current lam-admin
|
||||
$ldap_q = $_SESSION['ldap']->decrypt();
|
||||
$ldap_q = $_SESSION['ldap']->decrypt_login();
|
||||
/* $towrite has the following syntax:
|
||||
* admin-username, admin-password, owner of homedir, 'home', operation='add'
|
||||
* use escapeshellarg to make exec() shell-safe
|
||||
|
|
@ -1404,7 +1404,7 @@ function addhomedir($users) {
|
|||
*/
|
||||
function remhomedir($users) {
|
||||
// get username and password of the current lam-admin
|
||||
$ldap_q = $_SESSION['ldap']->decrypt();
|
||||
$ldap_q = $_SESSION['ldap']->decrypt_login();
|
||||
/* $towrite has the following syntax:
|
||||
* admin-username, admin-password, owner of homedir, 'home', operation='add'
|
||||
* use escapeshellarg to make exec() shell-safe
|
||||
|
|
@ -2192,15 +2192,11 @@ function createuser($values, $uselamdaemon=true) {
|
|||
// Create DN for new user account
|
||||
$values->general_dn = 'uid=' . $values->general_username . ',' . $values->general_dn;
|
||||
// decrypt password because we don't want to store them unencrypted in session
|
||||
$iv = base64_decode($_COOKIE["IV"]);
|
||||
$key = base64_decode($_COOKIE["Key"]);
|
||||
if ($values->unix_password != '') {
|
||||
$values->unix_password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($values->unix_password), MCRYPT_MODE_ECB, $iv);
|
||||
$values->unix_password = str_replace(chr(00), '', $values->unix_password);
|
||||
$values->unix_password = $_SESSION['ldap']->decrypt(base64_decode($values->unix_password));
|
||||
}
|
||||
if ($values->smb_password != '') {
|
||||
$values->smb_password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($values->smb_password), MCRYPT_MODE_ECB, $iv);
|
||||
$values->smb_password = str_replace(chr(00), '', $values->smb_password);
|
||||
$values->smb_password = $_SESSION['ldap']->decrypt(base64_decode($values->smb_password));
|
||||
}
|
||||
|
||||
// Attributes which are required
|
||||
|
|
@ -2382,15 +2378,11 @@ function modifyuser($values,$values_old,$uselamdaemon=true) { // Will modify the
|
|||
// Create DN for new user account
|
||||
$values->general_dn = 'uid=' . $values->general_username . ',' . $values->general_dn;
|
||||
// decrypt password because we don't want to store them unencrypted in session
|
||||
$iv = base64_decode($_COOKIE["IV"]);
|
||||
$key = base64_decode($_COOKIE["Key"]);
|
||||
if ($values->unix_password != '') {
|
||||
$values->unix_password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($values->unix_password), MCRYPT_MODE_ECB, $iv);
|
||||
$values->unix_password = str_replace(chr(00), '', $values->unix_password);
|
||||
$values->unix_password = $_SESSION['ldap']->decrypt(base64_decode($values->unix_password));
|
||||
}
|
||||
if ($values->smb_password != '') {
|
||||
$values->smb_password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($values->smb_password), MCRYPT_MODE_ECB, $iv);
|
||||
$values->smb_password = str_replace(chr(00), '', $values->smb_password);
|
||||
$values->smb_password = $_SESSION['ldap']->decrypt(base64_decode($values->smb_password));
|
||||
}
|
||||
// Attributes which are required
|
||||
if ($values->general_username != $values_old->general_username) {
|
||||
|
|
|
|||
|
|
@ -24,6 +24,7 @@ $Id$
|
|||
// ldap.inc provides basic functions to connect to the OpenLDAP server.
|
||||
|
||||
include_once("config.inc");
|
||||
include_once("blowfish.inc");
|
||||
|
||||
// converts a HEX string to a binary value
|
||||
function hex2bin($value) {
|
||||
|
|
@ -233,7 +234,7 @@ class Ldap{
|
|||
return false;
|
||||
}
|
||||
// save password und username encrypted
|
||||
$this->encrypt($user, $passwd);
|
||||
$this->encrypt_login($user, $passwd);
|
||||
$this->server = @ldap_connect($this->conf->get_ServerURL());
|
||||
if ($this->server) {
|
||||
// use LDAPv3
|
||||
|
|
@ -386,7 +387,7 @@ class Ldap{
|
|||
|
||||
// reconnects to LDAP server when deserialized
|
||||
function __wakeup() {
|
||||
$data = $this->decrypt();
|
||||
$data = $this->decrypt_login();
|
||||
$this->connect($data[0], $data[1]);
|
||||
// change random number
|
||||
mt_srand($this->rand + (microtime() * 1000000));
|
||||
|
|
@ -415,32 +416,74 @@ class Ldap{
|
|||
$this->rand = mt_rand();
|
||||
}
|
||||
|
||||
// encrypts a string
|
||||
// $data: string to encrypt
|
||||
// return: encrypted string
|
||||
function encrypt($data) {
|
||||
// use MCrypt if available
|
||||
if (function_exists(mcrypt_create_iv)) {
|
||||
// read key and iv from cookie
|
||||
$iv = base64_decode($_COOKIE["IV"]);
|
||||
$key = base64_decode($_COOKIE["Key"]);
|
||||
// encrypt string
|
||||
return mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB, $iv);
|
||||
}
|
||||
// use Blowfish if MCrypt is not available
|
||||
else {
|
||||
// read key and iv from cookie
|
||||
$iv = base64_decode($_COOKIE["IV"]);
|
||||
$key = base64_decode($_COOKIE["Key"]);
|
||||
$b_key = $iv . $key;
|
||||
// encrypt string
|
||||
$b_fish = new Cipher_blowfish();
|
||||
return $b_fish->encrypt($data, $b_key);
|
||||
}
|
||||
}
|
||||
|
||||
// decrypts a string
|
||||
// $data: string to decrypt
|
||||
// return: decrypted string
|
||||
function decrypt($data) {
|
||||
// use MCrypt if available
|
||||
if (function_exists(mcrypt_create_iv)) {
|
||||
// read key and iv from cookie
|
||||
$iv = base64_decode($_COOKIE["IV"]);
|
||||
$key = base64_decode($_COOKIE["Key"]);
|
||||
// decrypt string
|
||||
$ret = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB, $iv);
|
||||
$ret = str_replace(chr(00), "", $ret);
|
||||
return $ret;
|
||||
}
|
||||
// use Blowfish if MCrypt is not available
|
||||
else {
|
||||
// read key and iv from cookie
|
||||
$iv = base64_decode($_COOKIE["IV"]);
|
||||
$key = base64_decode($_COOKIE["Key"]);
|
||||
$b_key = $iv . $key;
|
||||
// decrypt string
|
||||
$b_fish = new Cipher_blowfish();
|
||||
return $b_fish->decrypt($data, $b_key);
|
||||
}
|
||||
}
|
||||
|
||||
// encrypts username and password
|
||||
// $username: LDAP user name
|
||||
// $password: LDAP password
|
||||
function encrypt($username, $password) {
|
||||
// read key and iv from cookie
|
||||
$iv = base64_decode($_COOKIE["IV"]);
|
||||
$key = base64_decode($_COOKIE["Key"]);
|
||||
function encrypt_login($username, $password) {
|
||||
// encrypt username and password
|
||||
$this->username = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $username, MCRYPT_MODE_ECB, $iv));
|
||||
$this->password = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $password, MCRYPT_MODE_ECB, $iv));
|
||||
$this->username = base64_encode($this->encrypt($username));
|
||||
$this->password = base64_encode($this->encrypt($password));
|
||||
}
|
||||
|
||||
// decrypts username and password
|
||||
// returns an array
|
||||
// return[0]: user name
|
||||
// return[1]: password
|
||||
function decrypt() {
|
||||
// read key and iv from cookie
|
||||
$iv = base64_decode($_COOKIE["IV"]);
|
||||
$key = base64_decode($_COOKIE["Key"]);
|
||||
function decrypt_login() {
|
||||
// decrypt username and password
|
||||
$username = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($this->username), MCRYPT_MODE_ECB, $iv);
|
||||
$password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($this->password), MCRYPT_MODE_ECB, $iv);
|
||||
$username = $this->decrypt(base64_decode($this->username));
|
||||
$password = $this->decrypt(base64_decode($this->password));
|
||||
$ret = array($username, $password);
|
||||
$ret[0] = str_replace(chr(00), "", $ret[0]);
|
||||
$ret[1] = str_replace(chr(00), "", $ret[1]);
|
||||
return $ret;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -119,9 +119,7 @@ class posixAccount {
|
|||
if (is_string($newpassword)) {
|
||||
// Write new password
|
||||
if ($newpassword!='') {
|
||||
$iv = base64_decode($_COOKIE["IV"]);
|
||||
$key = base64_decode($_COOKIE["Key"]);
|
||||
$this->attributes['userPassword'][0] = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $newpassword, MCRYPT_MODE_ECB, $iv));
|
||||
$this->attributes['userPassword'][0] = base64_encode($_SESSION['ldap']->encrypt($newpassword));
|
||||
}
|
||||
else $this->attributes['userPassword'][0] = '';
|
||||
return 0;
|
||||
|
|
@ -129,10 +127,7 @@ class posixAccount {
|
|||
else {
|
||||
if ($this->attributes['userPassword'][0]!='') {
|
||||
// Read existing password if set
|
||||
$iv = base64_decode($_COOKIE["IV"]);
|
||||
$key = base64_decode($_COOKIE["Key"]);
|
||||
$password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($this->attributes['userPassword'][0]), MCRYPT_MODE_ECB, $iv);
|
||||
$password = str_replace(chr(00), '', $password);
|
||||
$password = $_SESSION['ldap']->decrypt(base64_decode($this->attributes['userPassword'][0]));
|
||||
return $password;
|
||||
}
|
||||
else return '';
|
||||
|
|
|
|||
|
|
@ -108,9 +108,7 @@ class posixGroup {
|
|||
if (is_string($newpassword)) {
|
||||
// Write new password
|
||||
if ($newpassword!='') {
|
||||
$iv = base64_decode($_COOKIE["IV"]);
|
||||
$key = base64_decode($_COOKIE["Key"]);
|
||||
$this->attributes['userPassword'][0] = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $newpassword, MCRYPT_MODE_ECB, $iv));
|
||||
$this->attributes['userPassword'][0] = base64_encode($_SESSION['ldap']->encrypt($newpassword));
|
||||
}
|
||||
else $this->attributes['userPassword'][0] = '';
|
||||
return 0;
|
||||
|
|
@ -118,10 +116,7 @@ class posixGroup {
|
|||
else {
|
||||
if ($this->attributes['userPassword'][0]!='') {
|
||||
// Read existing password if set
|
||||
$iv = base64_decode($_COOKIE["IV"]);
|
||||
$key = base64_decode($_COOKIE["Key"]);
|
||||
$password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($this->attributes['userPassword'][0]), MCRYPT_MODE_ECB, $iv);
|
||||
$password = str_replace(chr(00), '', $password);
|
||||
$password = $_SESSION['ldap']->decrypt(base64_decode($this->attributes['userPassword'][0]));
|
||||
return $password;
|
||||
}
|
||||
else return '';
|
||||
|
|
|
|||
|
|
@ -109,19 +109,14 @@ class sambaAccount {
|
|||
function lmPassword($newpassword=false) {
|
||||
if (is_string($newpassword)) {
|
||||
// Write new password
|
||||
$iv = base64_decode($_COOKIE["IV"]);
|
||||
$key = base64_decode($_COOKIE["Key"]);
|
||||
$this->attributes['lmPassword'][0] = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $newpassword, MCRYPT_MODE_ECB, $iv));
|
||||
$this->attributes['lmPassword'][0] = base64_encode($_SESSION['ldap']->encrypt($newpassword));
|
||||
return 0;
|
||||
}
|
||||
else {
|
||||
if ($this->useunixpwd) return $_SESSION[$this->base]->module['posixAccount']->userPassword();
|
||||
if ($this->attributes['lmPassword'][0]!='') {
|
||||
// Read existing password if set
|
||||
$iv = base64_decode($_COOKIE["IV"]);
|
||||
$key = base64_decode($_COOKIE["Key"]);
|
||||
$password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($this->attributes['lmPassword'][0]), MCRYPT_MODE_ECB, $iv);
|
||||
$password = str_replace(chr(00), '', $password);
|
||||
$password = $_SESSION['ldap']->decrypt(base64_decode($this->attributes['lmPassword'][0]));
|
||||
return $password;
|
||||
}
|
||||
else return '';
|
||||
|
|
|
|||
|
|
@ -109,19 +109,14 @@ class sambaSamAccount {
|
|||
function sambaLMPassword($newpassword=false) {
|
||||
if (is_string($newpassword)) {
|
||||
// Write new password
|
||||
$iv = base64_decode($_COOKIE["IV"]);
|
||||
$key = base64_decode($_COOKIE["Key"]);
|
||||
$this->attributes['sambaLMPassword'][0] = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $newpassword, MCRYPT_MODE_ECB, $iv));
|
||||
$this->attributes['sambaLMPassword'][0] = base64_encode($_SESSION['ldap']->encrypt($newpassword));
|
||||
return 0;
|
||||
}
|
||||
else {
|
||||
if ($this->useunixpwd) return $_SESSION[$this->base]->module['posixAccount']->userPassword();
|
||||
if ($this->attributes['sambaLMPassword'][0]!='') {
|
||||
// Read existing password if set
|
||||
$iv = base64_decode($_COOKIE["IV"]);
|
||||
$key = base64_decode($_COOKIE["Key"]);
|
||||
$password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($this->attributes['sambaLMPassword'][0]), MCRYPT_MODE_ECB, $iv);
|
||||
$password = str_replace(chr(00), '', $password);
|
||||
$password = $_SESSION['ldap']->decrypt(base64_decode($this->attributes['sambaLMPassword'][0]));
|
||||
return $password;
|
||||
}
|
||||
else return '';
|
||||
|
|
|
|||
|
|
@ -41,8 +41,6 @@ function createUserPDF($accounts) {
|
|||
$pdfFile->setCreator("LDAP Account Manager (pdf.inc)");
|
||||
// Loop for every sumbitted account and print its values on a extra page
|
||||
foreach ($accounts as $account) {
|
||||
$iv = base64_decode($_COOKIE['IV']);
|
||||
$key = base64_decode($_COOKIE['Key']);
|
||||
$pdfFile->addPage();
|
||||
// Load string with additional information from session
|
||||
$info_string = $_SESSION['config']->pdftext;
|
||||
|
|
@ -141,8 +139,7 @@ function createUserPDF($accounts) {
|
|||
elseif($account->unix_password == "") {
|
||||
}
|
||||
else {
|
||||
$account->unix_password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($account->unix_password), MCRYPT_MODE_ECB, $iv);
|
||||
$account->unix_password = str_replace(chr(00), '', $account->unix_password);
|
||||
$account->unix_password = $_SESSION['ldap']->decrypt(base64_decode($account->unix_password));
|
||||
$pdfFile->setFont("times","B",10);
|
||||
$pdfFile->Cell(50,5,_("Unix password") . ":",0,0,"R",0);
|
||||
$pdfFile->setFont("times","",10);
|
||||
|
|
@ -199,8 +196,7 @@ function createUserPDF($accounts) {
|
|||
elseif($account->smb_password == "") {
|
||||
}
|
||||
else {
|
||||
$account->smb_password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($account->smb_password), MCRYPT_MODE_ECB, $iv);
|
||||
$account->smb_password = str_replace(chr(00), '', $account->smb_password);
|
||||
$account->smb_password = $_SESSION['ldap']->decrypt(base64_decode($account->smb_password));
|
||||
$pdfFile->setFont("times","B",10);
|
||||
$pdfFile->Cell(50,5,_("Windows password") . ":",0,0,"R",0);
|
||||
$pdfFile->setFont("times","",10);
|
||||
|
|
|
|||
|
|
@ -85,7 +85,7 @@ convsave, confmain, conflogin:
|
|||
|
||||
useredit:
|
||||
- shellist: Array mit allen shells
|
||||
- account_old: Object account. Hier wird beim laden eines Accounts alle alten Werte zwischengespeichert
|
||||
- account_old: Object account. Hier wird beim laden eines Accounts alle alten Werte zwischengespeichert
|
||||
- account: Object account. Hier wird der aktuelle Eintrag gespeichert
|
||||
- final_changegids: boolean. Wenn gesetzt, werden die gids in ldap angepasst
|
||||
- hostDN: Array mit allen hosts.
|
||||
|
|
@ -122,9 +122,9 @@ confwiz/*.php
|
|||
- confwiz_config: Config-Objekt mit Optionen
|
||||
- confwiz_ldap: LDAP-Objekt
|
||||
- conwiz_masterpwd: Hauptpasswort für Einstellungen, zur Überprüfung des Admins
|
||||
- confwiz_domainsid: Domänen-SID der erstellten/zuerst gefundenen Domäne
|
||||
- confwiz_missing_groups: Array mit fehlenden Standard-Samba-Gruppen
|
||||
- confwiz_optional: Array mit optionalen Seiten, die angezeigt werden sollen
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -311,13 +311,11 @@ switch ($_POST['select']) {
|
|||
// Write all general values into $account_new
|
||||
if (isset($_POST['f_unix_password'])) {
|
||||
// Encraypt password
|
||||
$iv = base64_decode($_COOKIE["IV"]);
|
||||
$key = base64_decode($_COOKIE["Key"]);
|
||||
if ($_POST['f_unix_password'] != $_POST['f_unix_password2']) {
|
||||
$errors[] = array('ERROR', _('Password'), _('Please enter the same password in both password-fields.'));
|
||||
unset ($_POST['f_unix_password2']);
|
||||
}
|
||||
else $account_new->unix_password = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $_POST['f_unix_password'], MCRYPT_MODE_ECB, $iv));
|
||||
else $account_new->unix_password = base64_encode($_SESSION['ldap']->encrypt($_POST['f_unix_password']));
|
||||
}
|
||||
else $account_new->unix_password = '';
|
||||
if ($_POST['f_unix_password_no']) $account_new->unix_password_no = true;
|
||||
|
|
@ -333,9 +331,7 @@ switch ($_POST['select']) {
|
|||
else $account_new->unix_deactivated = false;
|
||||
if ($_POST['genpass']) {
|
||||
// Generate a random password if generate-button was pressed
|
||||
$iv = base64_decode($_COOKIE["IV"]);
|
||||
$key = base64_decode($_COOKIE["Key"]);
|
||||
$account_new->unix_password = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, genpasswd(), MCRYPT_MODE_ECB, $iv));
|
||||
$account_new->unix_password = base64_encode($_SESSION['ldap']->encrypt(genpasswd()));
|
||||
unset ($_POST['f_unix_password2']);
|
||||
// Keep unix-page acitve
|
||||
$select_local = 'unix';
|
||||
|
|
@ -343,10 +339,7 @@ switch ($_POST['select']) {
|
|||
// Check if values are OK and set automatic values. if not error-variable will be set
|
||||
else { // account.inc
|
||||
if ($account_new->unix_password != '') {
|
||||
$iv = base64_decode($_COOKIE["IV"]);
|
||||
$key = base64_decode($_COOKIE["Key"]);
|
||||
$password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($account_new->unix_password), MCRYPT_MODE_ECB, $iv);
|
||||
$password = str_replace(chr(00), '', $password);
|
||||
$password = $_SESSION['ldap']->decrypt(base64_decode($account_new->unix_password));
|
||||
}
|
||||
if (!ereg('^([a-z]|[A-Z]|[0-9]|[\|]|[\#]|[\*]|[\,]|[\.]|[\;]|[\:]|[\_]|[\-]|[\+]|[\!]|[\%]|[\&]|[\/]|[\?]|[\{]|[\[]|[\(]|[\)]|[\]]|[\}])*$', $password))
|
||||
$errors[] = array('ERROR', _('Password'), _('Password contains invalid characters. Valid characters are: a-z, A-Z, 0-9 and #*,.;:_-+!$%&/|?{[()]}= !'));
|
||||
|
|
@ -412,8 +405,6 @@ switch ($_POST['select']) {
|
|||
break;
|
||||
}
|
||||
}
|
||||
$iv = base64_decode($_COOKIE["IV"]);
|
||||
$key = base64_decode($_COOKIE["Key"]);
|
||||
// Set Samba password
|
||||
if (isset($_POST['f_smb_password']) && !$account_new->smb_useunixpwd) {
|
||||
// Encraypt password
|
||||
|
|
@ -421,14 +412,13 @@ switch ($_POST['select']) {
|
|||
$errors[] = array('ERROR', _('Password'), _('Please enter the same password in both password-fields.'));
|
||||
unset ($_POST['f_smb_password2']);
|
||||
}
|
||||
else $account_new->smb_password = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $_POST['f_smb_password'], MCRYPT_MODE_ECB, $iv));
|
||||
else $account_new->smb_password = base64_encode($_SESSION['ldap']->encrypt($_POST['f_smb_password']));
|
||||
}
|
||||
else $account_new->smb_password = '';
|
||||
if ( (($account_new->smb_useunixpwd && !$account_old) || ($account_new->smb_useunixpwd && $account_new->unix_password!='')) && isset($account_new->unix_password) ) {
|
||||
// Set Samba-Password to unix-password if option is set
|
||||
$unix_password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($account_new->unix_password), MCRYPT_MODE_ECB, $iv);
|
||||
$smb_password = str_replace(chr(00), '', $unix_password);
|
||||
$account_new->smb_password = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $smb_password, MCRYPT_MODE_ECB, $iv));
|
||||
$unix_password = $_SESSION['ldap']->decrypt(base64_decode($account_new->unix_password));
|
||||
$account_new->smb_password = base64_encode($_SESSION['ldap']->encrypt($smb_password));
|
||||
}
|
||||
// Check values
|
||||
$account_new->smb_scriptPath = str_replace('$user', $account_new->general_username, $account_new->smb_scriptPath);
|
||||
|
|
@ -1034,10 +1024,7 @@ switch ($select_local) {
|
|||
// Unix Password Settings
|
||||
// decrypt password
|
||||
if ($account_new->unix_password != '') {
|
||||
$iv = base64_decode($_COOKIE["IV"]);
|
||||
$key = base64_decode($_COOKIE["Key"]);
|
||||
$password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($account_new->unix_password), MCRYPT_MODE_ECB, $iv);
|
||||
$password = str_replace(chr(00), '', $password);
|
||||
$password = $_SESSION['ldap']->decrypt(base64_decode($account_new->unix_password));
|
||||
}
|
||||
else $password='';
|
||||
// Use dd-mm-yyyy format of date because it's easier to read for humans
|
||||
|
|
@ -1145,10 +1132,7 @@ switch ($select_local) {
|
|||
// Samba Settings
|
||||
// decrypt password
|
||||
if ($account_new->smb_password != '') {
|
||||
$iv = base64_decode($_COOKIE["IV"]);
|
||||
$key = base64_decode($_COOKIE["Key"]);
|
||||
$password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($account_new->smb_password), MCRYPT_MODE_ECB, $iv);
|
||||
$password = str_replace(chr(00), '', $password);
|
||||
$password = $_SESSION['ldap']->decrypt(base64_decode($account_new->smb_password));
|
||||
}
|
||||
else $password = "";
|
||||
if ($config_intern->is_samba3()) $samba3domains = $ldap_intern->search_domains($config_intern->get_domainSuffix());
|
||||
|
|
|
|||
|
|
@ -47,6 +47,14 @@ function display_LoginPage($config_object,$profile)
|
|||
$iv = mcrypt_create_iv(32, MCRYPT_RAND);
|
||||
}
|
||||
}
|
||||
// use Blowfish if MCrypt is not available
|
||||
else {
|
||||
// generate iv and key for encryption
|
||||
$key = "";
|
||||
$iv = "";
|
||||
while (strlen($key) < 30) $key .= mt_rand();
|
||||
while (strlen($iv) < 30) $iv .= mt_rand();
|
||||
}
|
||||
|
||||
// save both in cookie
|
||||
setcookie("Key", base64_encode($key), 0, "/");
|
||||
|
|
@ -113,16 +121,8 @@ function display_LoginPage($config_object,$profile)
|
|||
</table>
|
||||
<hr><br><br>
|
||||
<?php
|
||||
if(! function_exists('mcrypt_create_iv')) {
|
||||
StatusMessage("ERROR", "Your PHP does not support MCrypt, you will not be able to log in! Please install the required package.","See http://lam.sf.net/documentation/faq.html#2 for Suse/RedHat");
|
||||
?>
|
||||
</body>
|
||||
</html>
|
||||
<?php
|
||||
exit;
|
||||
}
|
||||
if(! function_exists('mHash')) {
|
||||
StatusMessage("WARN", "Your PHP does not support MHash, you will only be able to use CRYPT/PLAIN for user passwords! Please install the required package.","See http://lam.sf.net/documentation/faq.html#2 for Suse/RedHat");
|
||||
if ((! function_exists('mHash')) && (! function_exists('sha1'))) {
|
||||
StatusMessage("INFO", "Your PHP does not support MHash or sha1(), you will only be able to use CRYPT/PLAIN/MD5/SMD5 for user passwords!", "Please install MHash or update to PHP >4.3.");
|
||||
}
|
||||
?>
|
||||
<p align="center">
|
||||
|
|
|
|||
|
|
@ -161,8 +161,6 @@ switch ($select) {
|
|||
echo _('Creating users. Please stand by ....');
|
||||
echo "</b></legend>\n<table border=0 width=\"100%\">\n";
|
||||
// Keys needed to encrypt passwords from session
|
||||
$iv = base64_decode($_COOKIE["IV"]);
|
||||
$key = base64_decode($_COOKIE["Key"]);
|
||||
$stay=true;
|
||||
// Stay in loop as long there are still users to create and no error did ocour
|
||||
while (($_SESSION['pointer'] < sizeof($_SESSION['accounts'])) && $stay) {
|
||||
|
|
@ -227,8 +225,7 @@ switch ($select) {
|
|||
$_SESSION['accounts'][$_SESSION['pointer']]->smb_profilePath = str_replace('$group', $_SESSION['accounts'][$_SESSION['pointer']]->general_group, $_SESSION['accounts'][$_SESSION['pointer']]->smb_profilePath);
|
||||
$_SESSION['accounts'][$_SESSION['pointer']]->smb_smbhome = str_replace('$user', $_SESSION['accounts'][$_SESSION['pointer']]->general_username, $_SESSION['accounts'][$_SESSION['pointer']]->smb_smbhome);
|
||||
$_SESSION['accounts'][$_SESSION['pointer']]->smb_smbhome = str_replace('$group', $_SESSION['accounts'][$_SESSION['pointer']]->general_group, $_SESSION['accounts'][$_SESSION['pointer']]->smb_smbhome);
|
||||
$_SESSION['accounts'][$_SESSION['pointer']]->unix_password = base64_encode(mcrypt_encrypt(
|
||||
MCRYPT_RIJNDAEL_256, $key, genpasswd(), MCRYPT_MODE_ECB, $iv));
|
||||
$_SESSION['accounts'][$_SESSION['pointer']]->unix_password = base64_encode($_SESSION['ldap']->encrypt(genpasswd()));
|
||||
$_SESSION['accounts'][$_SESSION['pointer']]->smb_password = $_SESSION['accounts'][$_SESSION['pointer']]->unix_password;
|
||||
// Only create user if we have at least 5sec time to create the user
|
||||
if ( (time()-$time)<(get_cfg_var('max_execution_time')-10)) {
|
||||
|
|
@ -474,8 +471,6 @@ function loadfile() {
|
|||
$profile->quota = array_values($profile->quota);
|
||||
}
|
||||
// Get keys to en/decrypt passwords
|
||||
$iv = base64_decode($_COOKIE["IV"]);
|
||||
$key = base64_decode($_COOKIE["Key"]);
|
||||
for ($row=0; $line_array=fgetcsv($handle,2048); $row++) {
|
||||
// loops for every row
|
||||
// Set corrent user to profile
|
||||
|
|
@ -508,8 +503,7 @@ function loadfile() {
|
|||
// Set DN without uid=$username
|
||||
else $_SESSION['accounts'][$row]->general_dn = $_POST['f_general_suffix'];
|
||||
// Create Random Password
|
||||
$_SESSION['accounts'][$row]->unix_password = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256,
|
||||
$key, genpasswd(), MCRYPT_MODE_ECB, $iv));
|
||||
$_SESSION['accounts'][$row]->unix_password = base64_encode($_SESSION['ldap']->encrypt(genpasswd()));
|
||||
$_SESSION['accounts'][$row]->smb_password=$_SESSION['accounts'][$row]->unix_password;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue