Blowfish update
This commit is contained in:
Roland Gruber
parent
2b80daee2d
commit
9fd6df2f03
|
|
@ -1,3 +1,9 @@
|
||||||
|
??? 0.4.2
|
||||||
|
- added config wizard
|
||||||
|
- MHash is only needed for PHP < 4.3
|
||||||
|
- use Blowfish for encryption instead of MCrypt
|
||||||
|
|
||||||
|
|
||||||
29.12.2003 0.4.1
|
29.12.2003 0.4.1
|
||||||
|
|
||||||
- better error handling at login
|
- better error handling at login
|
||||||
|
|
|
||||||
|
|
@ -6,7 +6,7 @@ Installation Instructions for LAM
|
||||||
1. Requirements
|
1. Requirements
|
||||||
|
|
||||||
- Apache webserver (SSL optional) with installed PHP-Module (PHP-Module with
|
- Apache webserver (SSL optional) with installed PHP-Module (PHP-Module with
|
||||||
ldap, gettext, mcrypt, mhash)
|
ldap, gettext, mcrypt+mhash optional)
|
||||||
- Perl
|
- Perl
|
||||||
- Openldap (>2.0)
|
- Openldap (>2.0)
|
||||||
- A web browser :-)
|
- A web browser :-)
|
||||||
|
|
|
||||||
|
|
@ -80,8 +80,9 @@ LAM - Readme
|
||||||
|
|
||||||
LAM needs to store your LDAP username + password in the session. The session
|
LAM needs to store your LDAP username + password in the session. The session
|
||||||
files are saved in sess/ and are accessible only by the web server. To increase
|
files are saved in sess/ and are accessible only by the web server. To increase
|
||||||
security username and password are encrypted with AES (256 bit). The key and iv
|
security username and password are encrypted with MCrypt/AES or Blowfish.
|
||||||
are generated at random when you log in. They are stored in two cookies.
|
The key and iv are generated at random when you log in. They are stored in two
|
||||||
|
cookies.
|
||||||
|
|
||||||
|
|
||||||
Have fun!
|
Have fun!
|
||||||
|
|
|
||||||
|
|
@ -25,7 +25,7 @@
|
||||||
4. LDAP-password protection
|
4. LDAP-password protection
|
||||||
|
|
||||||
Your LDAP-password is stored encrypted in the session file. The key and IV to decrypt
|
Your LDAP-password is stored encrypted in the session file. The key and IV to decrypt
|
||||||
it are stored in two cookies. We use AES to encrypt the passwort.
|
it are stored in two cookies. We use MCrypt/AES or Blowfish to encrypt the password.
|
||||||
|
|
||||||
|
|
||||||
5. Protection of new user passwords
|
5. Protection of new user passwords
|
||||||
|
|
|
||||||
|
|
@ -856,7 +856,7 @@ class accountContainer {
|
||||||
|
|
||||||
function lamdaemon($commands) {
|
function lamdaemon($commands) {
|
||||||
// get username and password of the current lam-admin
|
// get username and password of the current lam-admin
|
||||||
$ldap_q = $_SESSION[$this->ldap]->decrypt();
|
$ldap_q = $_SESSION[$this->ldap]->decrypt_login();
|
||||||
/* $towrite has the following syntax:
|
/* $towrite has the following syntax:
|
||||||
* admin-username, admin-password, owner of homedir, 'home', operation='add'
|
* admin-username, admin-password, owner of homedir, 'home', operation='add'
|
||||||
* use escapeshellarg to make exec() shell-safe
|
* use escapeshellarg to make exec() shell-safe
|
||||||
|
|
@ -1084,7 +1084,7 @@ function getquotas($users) {
|
||||||
if (is_array($users)) $return = $users;
|
if (is_array($users)) $return = $users;
|
||||||
else $return[0] = $users;
|
else $return[0] = $users;
|
||||||
// get username and password of the current lam-admin
|
// get username and password of the current lam-admin
|
||||||
$ldap_q = $_SESSION['ldap']->decrypt();
|
$ldap_q = $_SESSION['ldap']->decrypt_login();
|
||||||
/* $towrite has the following syntax:
|
/* $towrite has the following syntax:
|
||||||
* admin-username, admin-password, account with quotas, 'quota', operation='get', type=user|group
|
* admin-username, admin-password, account with quotas, 'quota', operation='get', type=user|group
|
||||||
* use escapeshellarg to make exec() shell-safe
|
* use escapeshellarg to make exec() shell-safe
|
||||||
|
|
@ -1182,7 +1182,7 @@ function getquotas($users) {
|
||||||
*/
|
*/
|
||||||
function setquotas($values2) {
|
function setquotas($values2) {
|
||||||
// get username and password of the current lam-admin
|
// get username and password of the current lam-admin
|
||||||
$ldap_q = $_SESSION['ldap']->decrypt();
|
$ldap_q = $_SESSION['ldap']->decrypt_login();
|
||||||
/* $towrite has the following syntax:
|
/* $towrite has the following syntax:
|
||||||
* admin-username, admin-password, account with quotas, 'quota', operation='set', type=user|group
|
* admin-username, admin-password, account with quotas, 'quota', operation='set', type=user|group
|
||||||
* use escapeshellarg to make exec() shell-safe
|
* use escapeshellarg to make exec() shell-safe
|
||||||
|
|
@ -1273,7 +1273,7 @@ function setquotas($values2) {
|
||||||
*/
|
*/
|
||||||
function remquotas($users, $type) {
|
function remquotas($users, $type) {
|
||||||
// get username and password of the current lam-admin
|
// get username and password of the current lam-admin
|
||||||
$ldap_q = $_SESSION['ldap']->decrypt();
|
$ldap_q = $_SESSION['ldap']->decrypt_login();
|
||||||
/* $towrite has the following syntax:
|
/* $towrite has the following syntax:
|
||||||
* admin-username, admin-password, account with quotas, 'quota', operation='rem', type=user|group
|
* admin-username, admin-password, account with quotas, 'quota', operation='rem', type=user|group
|
||||||
* use escapeshellarg to make exec() shell-safe
|
* use escapeshellarg to make exec() shell-safe
|
||||||
|
|
@ -1338,7 +1338,7 @@ function remquotas($users, $type) {
|
||||||
*/
|
*/
|
||||||
function addhomedir($users) {
|
function addhomedir($users) {
|
||||||
// get username and password of the current lam-admin
|
// get username and password of the current lam-admin
|
||||||
$ldap_q = $_SESSION['ldap']->decrypt();
|
$ldap_q = $_SESSION['ldap']->decrypt_login();
|
||||||
/* $towrite has the following syntax:
|
/* $towrite has the following syntax:
|
||||||
* admin-username, admin-password, owner of homedir, 'home', operation='add'
|
* admin-username, admin-password, owner of homedir, 'home', operation='add'
|
||||||
* use escapeshellarg to make exec() shell-safe
|
* use escapeshellarg to make exec() shell-safe
|
||||||
|
|
@ -1404,7 +1404,7 @@ function addhomedir($users) {
|
||||||
*/
|
*/
|
||||||
function remhomedir($users) {
|
function remhomedir($users) {
|
||||||
// get username and password of the current lam-admin
|
// get username and password of the current lam-admin
|
||||||
$ldap_q = $_SESSION['ldap']->decrypt();
|
$ldap_q = $_SESSION['ldap']->decrypt_login();
|
||||||
/* $towrite has the following syntax:
|
/* $towrite has the following syntax:
|
||||||
* admin-username, admin-password, owner of homedir, 'home', operation='add'
|
* admin-username, admin-password, owner of homedir, 'home', operation='add'
|
||||||
* use escapeshellarg to make exec() shell-safe
|
* use escapeshellarg to make exec() shell-safe
|
||||||
|
|
@ -2192,15 +2192,11 @@ function createuser($values, $uselamdaemon=true) {
|
||||||
// Create DN for new user account
|
// Create DN for new user account
|
||||||
$values->general_dn = 'uid=' . $values->general_username . ',' . $values->general_dn;
|
$values->general_dn = 'uid=' . $values->general_username . ',' . $values->general_dn;
|
||||||
// decrypt password because we don't want to store them unencrypted in session
|
// decrypt password because we don't want to store them unencrypted in session
|
||||||
$iv = base64_decode($_COOKIE["IV"]);
|
|
||||||
$key = base64_decode($_COOKIE["Key"]);
|
|
||||||
if ($values->unix_password != '') {
|
if ($values->unix_password != '') {
|
||||||
$values->unix_password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($values->unix_password), MCRYPT_MODE_ECB, $iv);
|
$values->unix_password = $_SESSION['ldap']->decrypt(base64_decode($values->unix_password));
|
||||||
$values->unix_password = str_replace(chr(00), '', $values->unix_password);
|
|
||||||
}
|
}
|
||||||
if ($values->smb_password != '') {
|
if ($values->smb_password != '') {
|
||||||
$values->smb_password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($values->smb_password), MCRYPT_MODE_ECB, $iv);
|
$values->smb_password = $_SESSION['ldap']->decrypt(base64_decode($values->smb_password));
|
||||||
$values->smb_password = str_replace(chr(00), '', $values->smb_password);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Attributes which are required
|
// Attributes which are required
|
||||||
|
|
@ -2382,15 +2378,11 @@ function modifyuser($values,$values_old,$uselamdaemon=true) { // Will modify the
|
||||||
// Create DN for new user account
|
// Create DN for new user account
|
||||||
$values->general_dn = 'uid=' . $values->general_username . ',' . $values->general_dn;
|
$values->general_dn = 'uid=' . $values->general_username . ',' . $values->general_dn;
|
||||||
// decrypt password because we don't want to store them unencrypted in session
|
// decrypt password because we don't want to store them unencrypted in session
|
||||||
$iv = base64_decode($_COOKIE["IV"]);
|
|
||||||
$key = base64_decode($_COOKIE["Key"]);
|
|
||||||
if ($values->unix_password != '') {
|
if ($values->unix_password != '') {
|
||||||
$values->unix_password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($values->unix_password), MCRYPT_MODE_ECB, $iv);
|
$values->unix_password = $_SESSION['ldap']->decrypt(base64_decode($values->unix_password));
|
||||||
$values->unix_password = str_replace(chr(00), '', $values->unix_password);
|
|
||||||
}
|
}
|
||||||
if ($values->smb_password != '') {
|
if ($values->smb_password != '') {
|
||||||
$values->smb_password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($values->smb_password), MCRYPT_MODE_ECB, $iv);
|
$values->smb_password = $_SESSION['ldap']->decrypt(base64_decode($values->smb_password));
|
||||||
$values->smb_password = str_replace(chr(00), '', $values->smb_password);
|
|
||||||
}
|
}
|
||||||
// Attributes which are required
|
// Attributes which are required
|
||||||
if ($values->general_username != $values_old->general_username) {
|
if ($values->general_username != $values_old->general_username) {
|
||||||
|
|
|
||||||
|
|
@ -24,6 +24,7 @@ $Id$
|
||||||
// ldap.inc provides basic functions to connect to the OpenLDAP server.
|
// ldap.inc provides basic functions to connect to the OpenLDAP server.
|
||||||
|
|
||||||
include_once("config.inc");
|
include_once("config.inc");
|
||||||
|
include_once("blowfish.inc");
|
||||||
|
|
||||||
// converts a HEX string to a binary value
|
// converts a HEX string to a binary value
|
||||||
function hex2bin($value) {
|
function hex2bin($value) {
|
||||||
|
|
@ -233,7 +234,7 @@ class Ldap{
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
// save password und username encrypted
|
// save password und username encrypted
|
||||||
$this->encrypt($user, $passwd);
|
$this->encrypt_login($user, $passwd);
|
||||||
$this->server = @ldap_connect($this->conf->get_ServerURL());
|
$this->server = @ldap_connect($this->conf->get_ServerURL());
|
||||||
if ($this->server) {
|
if ($this->server) {
|
||||||
// use LDAPv3
|
// use LDAPv3
|
||||||
|
|
@ -386,7 +387,7 @@ class Ldap{
|
||||||
|
|
||||||
// reconnects to LDAP server when deserialized
|
// reconnects to LDAP server when deserialized
|
||||||
function __wakeup() {
|
function __wakeup() {
|
||||||
$data = $this->decrypt();
|
$data = $this->decrypt_login();
|
||||||
$this->connect($data[0], $data[1]);
|
$this->connect($data[0], $data[1]);
|
||||||
// change random number
|
// change random number
|
||||||
mt_srand($this->rand + (microtime() * 1000000));
|
mt_srand($this->rand + (microtime() * 1000000));
|
||||||
|
|
@ -415,32 +416,74 @@ class Ldap{
|
||||||
$this->rand = mt_rand();
|
$this->rand = mt_rand();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// encrypts a string
|
||||||
|
// $data: string to encrypt
|
||||||
|
// return: encrypted string
|
||||||
|
function encrypt($data) {
|
||||||
|
// use MCrypt if available
|
||||||
|
if (function_exists(mcrypt_create_iv)) {
|
||||||
|
// read key and iv from cookie
|
||||||
|
$iv = base64_decode($_COOKIE["IV"]);
|
||||||
|
$key = base64_decode($_COOKIE["Key"]);
|
||||||
|
// encrypt string
|
||||||
|
return mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB, $iv);
|
||||||
|
}
|
||||||
|
// use Blowfish if MCrypt is not available
|
||||||
|
else {
|
||||||
|
// read key and iv from cookie
|
||||||
|
$iv = base64_decode($_COOKIE["IV"]);
|
||||||
|
$key = base64_decode($_COOKIE["Key"]);
|
||||||
|
$b_key = $iv . $key;
|
||||||
|
// encrypt string
|
||||||
|
$b_fish = new Cipher_blowfish();
|
||||||
|
return $b_fish->encrypt($data, $b_key);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// decrypts a string
|
||||||
|
// $data: string to decrypt
|
||||||
|
// return: decrypted string
|
||||||
|
function decrypt($data) {
|
||||||
|
// use MCrypt if available
|
||||||
|
if (function_exists(mcrypt_create_iv)) {
|
||||||
|
// read key and iv from cookie
|
||||||
|
$iv = base64_decode($_COOKIE["IV"]);
|
||||||
|
$key = base64_decode($_COOKIE["Key"]);
|
||||||
|
// decrypt string
|
||||||
|
$ret = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB, $iv);
|
||||||
|
$ret = str_replace(chr(00), "", $ret);
|
||||||
|
return $ret;
|
||||||
|
}
|
||||||
|
// use Blowfish if MCrypt is not available
|
||||||
|
else {
|
||||||
|
// read key and iv from cookie
|
||||||
|
$iv = base64_decode($_COOKIE["IV"]);
|
||||||
|
$key = base64_decode($_COOKIE["Key"]);
|
||||||
|
$b_key = $iv . $key;
|
||||||
|
// decrypt string
|
||||||
|
$b_fish = new Cipher_blowfish();
|
||||||
|
return $b_fish->decrypt($data, $b_key);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// encrypts username and password
|
// encrypts username and password
|
||||||
// $username: LDAP user name
|
// $username: LDAP user name
|
||||||
// $password: LDAP password
|
// $password: LDAP password
|
||||||
function encrypt($username, $password) {
|
function encrypt_login($username, $password) {
|
||||||
// read key and iv from cookie
|
|
||||||
$iv = base64_decode($_COOKIE["IV"]);
|
|
||||||
$key = base64_decode($_COOKIE["Key"]);
|
|
||||||
// encrypt username and password
|
// encrypt username and password
|
||||||
$this->username = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $username, MCRYPT_MODE_ECB, $iv));
|
$this->username = base64_encode($this->encrypt($username));
|
||||||
$this->password = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $password, MCRYPT_MODE_ECB, $iv));
|
$this->password = base64_encode($this->encrypt($password));
|
||||||
}
|
}
|
||||||
|
|
||||||
// decrypts username and password
|
// decrypts username and password
|
||||||
// returns an array
|
// returns an array
|
||||||
// return[0]: user name
|
// return[0]: user name
|
||||||
// return[1]: password
|
// return[1]: password
|
||||||
function decrypt() {
|
function decrypt_login() {
|
||||||
// read key and iv from cookie
|
|
||||||
$iv = base64_decode($_COOKIE["IV"]);
|
|
||||||
$key = base64_decode($_COOKIE["Key"]);
|
|
||||||
// decrypt username and password
|
// decrypt username and password
|
||||||
$username = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($this->username), MCRYPT_MODE_ECB, $iv);
|
$username = $this->decrypt(base64_decode($this->username));
|
||||||
$password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($this->password), MCRYPT_MODE_ECB, $iv);
|
$password = $this->decrypt(base64_decode($this->password));
|
||||||
$ret = array($username, $password);
|
$ret = array($username, $password);
|
||||||
$ret[0] = str_replace(chr(00), "", $ret[0]);
|
|
||||||
$ret[1] = str_replace(chr(00), "", $ret[1]);
|
|
||||||
return $ret;
|
return $ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -119,9 +119,7 @@ class posixAccount {
|
||||||
if (is_string($newpassword)) {
|
if (is_string($newpassword)) {
|
||||||
// Write new password
|
// Write new password
|
||||||
if ($newpassword!='') {
|
if ($newpassword!='') {
|
||||||
$iv = base64_decode($_COOKIE["IV"]);
|
$this->attributes['userPassword'][0] = base64_encode($_SESSION['ldap']->encrypt($newpassword));
|
||||||
$key = base64_decode($_COOKIE["Key"]);
|
|
||||||
$this->attributes['userPassword'][0] = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $newpassword, MCRYPT_MODE_ECB, $iv));
|
|
||||||
}
|
}
|
||||||
else $this->attributes['userPassword'][0] = '';
|
else $this->attributes['userPassword'][0] = '';
|
||||||
return 0;
|
return 0;
|
||||||
|
|
@ -129,10 +127,7 @@ class posixAccount {
|
||||||
else {
|
else {
|
||||||
if ($this->attributes['userPassword'][0]!='') {
|
if ($this->attributes['userPassword'][0]!='') {
|
||||||
// Read existing password if set
|
// Read existing password if set
|
||||||
$iv = base64_decode($_COOKIE["IV"]);
|
$password = $_SESSION['ldap']->decrypt(base64_decode($this->attributes['userPassword'][0]));
|
||||||
$key = base64_decode($_COOKIE["Key"]);
|
|
||||||
$password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($this->attributes['userPassword'][0]), MCRYPT_MODE_ECB, $iv);
|
|
||||||
$password = str_replace(chr(00), '', $password);
|
|
||||||
return $password;
|
return $password;
|
||||||
}
|
}
|
||||||
else return '';
|
else return '';
|
||||||
|
|
|
||||||
|
|
@ -108,9 +108,7 @@ class posixGroup {
|
||||||
if (is_string($newpassword)) {
|
if (is_string($newpassword)) {
|
||||||
// Write new password
|
// Write new password
|
||||||
if ($newpassword!='') {
|
if ($newpassword!='') {
|
||||||
$iv = base64_decode($_COOKIE["IV"]);
|
$this->attributes['userPassword'][0] = base64_encode($_SESSION['ldap']->encrypt($newpassword));
|
||||||
$key = base64_decode($_COOKIE["Key"]);
|
|
||||||
$this->attributes['userPassword'][0] = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $newpassword, MCRYPT_MODE_ECB, $iv));
|
|
||||||
}
|
}
|
||||||
else $this->attributes['userPassword'][0] = '';
|
else $this->attributes['userPassword'][0] = '';
|
||||||
return 0;
|
return 0;
|
||||||
|
|
@ -118,10 +116,7 @@ class posixGroup {
|
||||||
else {
|
else {
|
||||||
if ($this->attributes['userPassword'][0]!='') {
|
if ($this->attributes['userPassword'][0]!='') {
|
||||||
// Read existing password if set
|
// Read existing password if set
|
||||||
$iv = base64_decode($_COOKIE["IV"]);
|
$password = $_SESSION['ldap']->decrypt(base64_decode($this->attributes['userPassword'][0]));
|
||||||
$key = base64_decode($_COOKIE["Key"]);
|
|
||||||
$password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($this->attributes['userPassword'][0]), MCRYPT_MODE_ECB, $iv);
|
|
||||||
$password = str_replace(chr(00), '', $password);
|
|
||||||
return $password;
|
return $password;
|
||||||
}
|
}
|
||||||
else return '';
|
else return '';
|
||||||
|
|
|
||||||
|
|
@ -109,19 +109,14 @@ class sambaAccount {
|
||||||
function lmPassword($newpassword=false) {
|
function lmPassword($newpassword=false) {
|
||||||
if (is_string($newpassword)) {
|
if (is_string($newpassword)) {
|
||||||
// Write new password
|
// Write new password
|
||||||
$iv = base64_decode($_COOKIE["IV"]);
|
$this->attributes['lmPassword'][0] = base64_encode($_SESSION['ldap']->encrypt($newpassword));
|
||||||
$key = base64_decode($_COOKIE["Key"]);
|
|
||||||
$this->attributes['lmPassword'][0] = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $newpassword, MCRYPT_MODE_ECB, $iv));
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
if ($this->useunixpwd) return $_SESSION[$this->base]->module['posixAccount']->userPassword();
|
if ($this->useunixpwd) return $_SESSION[$this->base]->module['posixAccount']->userPassword();
|
||||||
if ($this->attributes['lmPassword'][0]!='') {
|
if ($this->attributes['lmPassword'][0]!='') {
|
||||||
// Read existing password if set
|
// Read existing password if set
|
||||||
$iv = base64_decode($_COOKIE["IV"]);
|
$password = $_SESSION['ldap']->decrypt(base64_decode($this->attributes['lmPassword'][0]));
|
||||||
$key = base64_decode($_COOKIE["Key"]);
|
|
||||||
$password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($this->attributes['lmPassword'][0]), MCRYPT_MODE_ECB, $iv);
|
|
||||||
$password = str_replace(chr(00), '', $password);
|
|
||||||
return $password;
|
return $password;
|
||||||
}
|
}
|
||||||
else return '';
|
else return '';
|
||||||
|
|
|
||||||
|
|
@ -109,19 +109,14 @@ class sambaSamAccount {
|
||||||
function sambaLMPassword($newpassword=false) {
|
function sambaLMPassword($newpassword=false) {
|
||||||
if (is_string($newpassword)) {
|
if (is_string($newpassword)) {
|
||||||
// Write new password
|
// Write new password
|
||||||
$iv = base64_decode($_COOKIE["IV"]);
|
$this->attributes['sambaLMPassword'][0] = base64_encode($_SESSION['ldap']->encrypt($newpassword));
|
||||||
$key = base64_decode($_COOKIE["Key"]);
|
|
||||||
$this->attributes['sambaLMPassword'][0] = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $newpassword, MCRYPT_MODE_ECB, $iv));
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
if ($this->useunixpwd) return $_SESSION[$this->base]->module['posixAccount']->userPassword();
|
if ($this->useunixpwd) return $_SESSION[$this->base]->module['posixAccount']->userPassword();
|
||||||
if ($this->attributes['sambaLMPassword'][0]!='') {
|
if ($this->attributes['sambaLMPassword'][0]!='') {
|
||||||
// Read existing password if set
|
// Read existing password if set
|
||||||
$iv = base64_decode($_COOKIE["IV"]);
|
$password = $_SESSION['ldap']->decrypt(base64_decode($this->attributes['sambaLMPassword'][0]));
|
||||||
$key = base64_decode($_COOKIE["Key"]);
|
|
||||||
$password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($this->attributes['sambaLMPassword'][0]), MCRYPT_MODE_ECB, $iv);
|
|
||||||
$password = str_replace(chr(00), '', $password);
|
|
||||||
return $password;
|
return $password;
|
||||||
}
|
}
|
||||||
else return '';
|
else return '';
|
||||||
|
|
|
||||||
|
|
@ -41,8 +41,6 @@ function createUserPDF($accounts) {
|
||||||
$pdfFile->setCreator("LDAP Account Manager (pdf.inc)");
|
$pdfFile->setCreator("LDAP Account Manager (pdf.inc)");
|
||||||
// Loop for every sumbitted account and print its values on a extra page
|
// Loop for every sumbitted account and print its values on a extra page
|
||||||
foreach ($accounts as $account) {
|
foreach ($accounts as $account) {
|
||||||
$iv = base64_decode($_COOKIE['IV']);
|
|
||||||
$key = base64_decode($_COOKIE['Key']);
|
|
||||||
$pdfFile->addPage();
|
$pdfFile->addPage();
|
||||||
// Load string with additional information from session
|
// Load string with additional information from session
|
||||||
$info_string = $_SESSION['config']->pdftext;
|
$info_string = $_SESSION['config']->pdftext;
|
||||||
|
|
@ -141,8 +139,7 @@ function createUserPDF($accounts) {
|
||||||
elseif($account->unix_password == "") {
|
elseif($account->unix_password == "") {
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
$account->unix_password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($account->unix_password), MCRYPT_MODE_ECB, $iv);
|
$account->unix_password = $_SESSION['ldap']->decrypt(base64_decode($account->unix_password));
|
||||||
$account->unix_password = str_replace(chr(00), '', $account->unix_password);
|
|
||||||
$pdfFile->setFont("times","B",10);
|
$pdfFile->setFont("times","B",10);
|
||||||
$pdfFile->Cell(50,5,_("Unix password") . ":",0,0,"R",0);
|
$pdfFile->Cell(50,5,_("Unix password") . ":",0,0,"R",0);
|
||||||
$pdfFile->setFont("times","",10);
|
$pdfFile->setFont("times","",10);
|
||||||
|
|
@ -199,8 +196,7 @@ function createUserPDF($accounts) {
|
||||||
elseif($account->smb_password == "") {
|
elseif($account->smb_password == "") {
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
$account->smb_password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($account->smb_password), MCRYPT_MODE_ECB, $iv);
|
$account->smb_password = $_SESSION['ldap']->decrypt(base64_decode($account->smb_password));
|
||||||
$account->smb_password = str_replace(chr(00), '', $account->smb_password);
|
|
||||||
$pdfFile->setFont("times","B",10);
|
$pdfFile->setFont("times","B",10);
|
||||||
$pdfFile->Cell(50,5,_("Windows password") . ":",0,0,"R",0);
|
$pdfFile->Cell(50,5,_("Windows password") . ":",0,0,"R",0);
|
||||||
$pdfFile->setFont("times","",10);
|
$pdfFile->setFont("times","",10);
|
||||||
|
|
|
||||||
|
|
@ -85,7 +85,7 @@ convsave, confmain, conflogin:
|
||||||
|
|
||||||
useredit:
|
useredit:
|
||||||
- shellist: Array mit allen shells
|
- shellist: Array mit allen shells
|
||||||
- account_old: Object account. Hier wird beim laden eines Accounts alle alten Werte zwischengespeichert
|
- account_old: Object account. Hier wird beim laden eines Accounts alle alten Werte zwischengespeichert
|
||||||
- account: Object account. Hier wird der aktuelle Eintrag gespeichert
|
- account: Object account. Hier wird der aktuelle Eintrag gespeichert
|
||||||
- final_changegids: boolean. Wenn gesetzt, werden die gids in ldap angepasst
|
- final_changegids: boolean. Wenn gesetzt, werden die gids in ldap angepasst
|
||||||
- hostDN: Array mit allen hosts.
|
- hostDN: Array mit allen hosts.
|
||||||
|
|
@ -122,9 +122,9 @@ confwiz/*.php
|
||||||
- confwiz_config: Config-Objekt mit Optionen
|
- confwiz_config: Config-Objekt mit Optionen
|
||||||
- confwiz_ldap: LDAP-Objekt
|
- confwiz_ldap: LDAP-Objekt
|
||||||
- conwiz_masterpwd: Hauptpasswort für Einstellungen, zur Überprüfung des Admins
|
- conwiz_masterpwd: Hauptpasswort für Einstellungen, zur Überprüfung des Admins
|
||||||
- confwiz_domainsid: Domänen-SID der erstellten/zuerst gefundenen Domäne
|
|
||||||
- confwiz_missing_groups: Array mit fehlenden Standard-Samba-Gruppen
|
|
||||||
- confwiz_optional: Array mit optionalen Seiten, die angezeigt werden sollen
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -311,13 +311,11 @@ switch ($_POST['select']) {
|
||||||
// Write all general values into $account_new
|
// Write all general values into $account_new
|
||||||
if (isset($_POST['f_unix_password'])) {
|
if (isset($_POST['f_unix_password'])) {
|
||||||
// Encraypt password
|
// Encraypt password
|
||||||
$iv = base64_decode($_COOKIE["IV"]);
|
|
||||||
$key = base64_decode($_COOKIE["Key"]);
|
|
||||||
if ($_POST['f_unix_password'] != $_POST['f_unix_password2']) {
|
if ($_POST['f_unix_password'] != $_POST['f_unix_password2']) {
|
||||||
$errors[] = array('ERROR', _('Password'), _('Please enter the same password in both password-fields.'));
|
$errors[] = array('ERROR', _('Password'), _('Please enter the same password in both password-fields.'));
|
||||||
unset ($_POST['f_unix_password2']);
|
unset ($_POST['f_unix_password2']);
|
||||||
}
|
}
|
||||||
else $account_new->unix_password = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $_POST['f_unix_password'], MCRYPT_MODE_ECB, $iv));
|
else $account_new->unix_password = base64_encode($_SESSION['ldap']->encrypt($_POST['f_unix_password']));
|
||||||
}
|
}
|
||||||
else $account_new->unix_password = '';
|
else $account_new->unix_password = '';
|
||||||
if ($_POST['f_unix_password_no']) $account_new->unix_password_no = true;
|
if ($_POST['f_unix_password_no']) $account_new->unix_password_no = true;
|
||||||
|
|
@ -333,9 +331,7 @@ switch ($_POST['select']) {
|
||||||
else $account_new->unix_deactivated = false;
|
else $account_new->unix_deactivated = false;
|
||||||
if ($_POST['genpass']) {
|
if ($_POST['genpass']) {
|
||||||
// Generate a random password if generate-button was pressed
|
// Generate a random password if generate-button was pressed
|
||||||
$iv = base64_decode($_COOKIE["IV"]);
|
$account_new->unix_password = base64_encode($_SESSION['ldap']->encrypt(genpasswd()));
|
||||||
$key = base64_decode($_COOKIE["Key"]);
|
|
||||||
$account_new->unix_password = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, genpasswd(), MCRYPT_MODE_ECB, $iv));
|
|
||||||
unset ($_POST['f_unix_password2']);
|
unset ($_POST['f_unix_password2']);
|
||||||
// Keep unix-page acitve
|
// Keep unix-page acitve
|
||||||
$select_local = 'unix';
|
$select_local = 'unix';
|
||||||
|
|
@ -343,10 +339,7 @@ switch ($_POST['select']) {
|
||||||
// Check if values are OK and set automatic values. if not error-variable will be set
|
// Check if values are OK and set automatic values. if not error-variable will be set
|
||||||
else { // account.inc
|
else { // account.inc
|
||||||
if ($account_new->unix_password != '') {
|
if ($account_new->unix_password != '') {
|
||||||
$iv = base64_decode($_COOKIE["IV"]);
|
$password = $_SESSION['ldap']->decrypt(base64_decode($account_new->unix_password));
|
||||||
$key = base64_decode($_COOKIE["Key"]);
|
|
||||||
$password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($account_new->unix_password), MCRYPT_MODE_ECB, $iv);
|
|
||||||
$password = str_replace(chr(00), '', $password);
|
|
||||||
}
|
}
|
||||||
if (!ereg('^([a-z]|[A-Z]|[0-9]|[\|]|[\#]|[\*]|[\,]|[\.]|[\;]|[\:]|[\_]|[\-]|[\+]|[\!]|[\%]|[\&]|[\/]|[\?]|[\{]|[\[]|[\(]|[\)]|[\]]|[\}])*$', $password))
|
if (!ereg('^([a-z]|[A-Z]|[0-9]|[\|]|[\#]|[\*]|[\,]|[\.]|[\;]|[\:]|[\_]|[\-]|[\+]|[\!]|[\%]|[\&]|[\/]|[\?]|[\{]|[\[]|[\(]|[\)]|[\]]|[\}])*$', $password))
|
||||||
$errors[] = array('ERROR', _('Password'), _('Password contains invalid characters. Valid characters are: a-z, A-Z, 0-9 and #*,.;:_-+!$%&/|?{[()]}= !'));
|
$errors[] = array('ERROR', _('Password'), _('Password contains invalid characters. Valid characters are: a-z, A-Z, 0-9 and #*,.;:_-+!$%&/|?{[()]}= !'));
|
||||||
|
|
@ -412,8 +405,6 @@ switch ($_POST['select']) {
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
$iv = base64_decode($_COOKIE["IV"]);
|
|
||||||
$key = base64_decode($_COOKIE["Key"]);
|
|
||||||
// Set Samba password
|
// Set Samba password
|
||||||
if (isset($_POST['f_smb_password']) && !$account_new->smb_useunixpwd) {
|
if (isset($_POST['f_smb_password']) && !$account_new->smb_useunixpwd) {
|
||||||
// Encraypt password
|
// Encraypt password
|
||||||
|
|
@ -421,14 +412,13 @@ switch ($_POST['select']) {
|
||||||
$errors[] = array('ERROR', _('Password'), _('Please enter the same password in both password-fields.'));
|
$errors[] = array('ERROR', _('Password'), _('Please enter the same password in both password-fields.'));
|
||||||
unset ($_POST['f_smb_password2']);
|
unset ($_POST['f_smb_password2']);
|
||||||
}
|
}
|
||||||
else $account_new->smb_password = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $_POST['f_smb_password'], MCRYPT_MODE_ECB, $iv));
|
else $account_new->smb_password = base64_encode($_SESSION['ldap']->encrypt($_POST['f_smb_password']));
|
||||||
}
|
}
|
||||||
else $account_new->smb_password = '';
|
else $account_new->smb_password = '';
|
||||||
if ( (($account_new->smb_useunixpwd && !$account_old) || ($account_new->smb_useunixpwd && $account_new->unix_password!='')) && isset($account_new->unix_password) ) {
|
if ( (($account_new->smb_useunixpwd && !$account_old) || ($account_new->smb_useunixpwd && $account_new->unix_password!='')) && isset($account_new->unix_password) ) {
|
||||||
// Set Samba-Password to unix-password if option is set
|
// Set Samba-Password to unix-password if option is set
|
||||||
$unix_password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($account_new->unix_password), MCRYPT_MODE_ECB, $iv);
|
$unix_password = $_SESSION['ldap']->decrypt(base64_decode($account_new->unix_password));
|
||||||
$smb_password = str_replace(chr(00), '', $unix_password);
|
$account_new->smb_password = base64_encode($_SESSION['ldap']->encrypt($smb_password));
|
||||||
$account_new->smb_password = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $smb_password, MCRYPT_MODE_ECB, $iv));
|
|
||||||
}
|
}
|
||||||
// Check values
|
// Check values
|
||||||
$account_new->smb_scriptPath = str_replace('$user', $account_new->general_username, $account_new->smb_scriptPath);
|
$account_new->smb_scriptPath = str_replace('$user', $account_new->general_username, $account_new->smb_scriptPath);
|
||||||
|
|
@ -1034,10 +1024,7 @@ switch ($select_local) {
|
||||||
// Unix Password Settings
|
// Unix Password Settings
|
||||||
// decrypt password
|
// decrypt password
|
||||||
if ($account_new->unix_password != '') {
|
if ($account_new->unix_password != '') {
|
||||||
$iv = base64_decode($_COOKIE["IV"]);
|
$password = $_SESSION['ldap']->decrypt(base64_decode($account_new->unix_password));
|
||||||
$key = base64_decode($_COOKIE["Key"]);
|
|
||||||
$password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($account_new->unix_password), MCRYPT_MODE_ECB, $iv);
|
|
||||||
$password = str_replace(chr(00), '', $password);
|
|
||||||
}
|
}
|
||||||
else $password='';
|
else $password='';
|
||||||
// Use dd-mm-yyyy format of date because it's easier to read for humans
|
// Use dd-mm-yyyy format of date because it's easier to read for humans
|
||||||
|
|
@ -1145,10 +1132,7 @@ switch ($select_local) {
|
||||||
// Samba Settings
|
// Samba Settings
|
||||||
// decrypt password
|
// decrypt password
|
||||||
if ($account_new->smb_password != '') {
|
if ($account_new->smb_password != '') {
|
||||||
$iv = base64_decode($_COOKIE["IV"]);
|
$password = $_SESSION['ldap']->decrypt(base64_decode($account_new->smb_password));
|
||||||
$key = base64_decode($_COOKIE["Key"]);
|
|
||||||
$password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($account_new->smb_password), MCRYPT_MODE_ECB, $iv);
|
|
||||||
$password = str_replace(chr(00), '', $password);
|
|
||||||
}
|
}
|
||||||
else $password = "";
|
else $password = "";
|
||||||
if ($config_intern->is_samba3()) $samba3domains = $ldap_intern->search_domains($config_intern->get_domainSuffix());
|
if ($config_intern->is_samba3()) $samba3domains = $ldap_intern->search_domains($config_intern->get_domainSuffix());
|
||||||
|
|
|
||||||
|
|
@ -47,6 +47,14 @@ function display_LoginPage($config_object,$profile)
|
||||||
$iv = mcrypt_create_iv(32, MCRYPT_RAND);
|
$iv = mcrypt_create_iv(32, MCRYPT_RAND);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
// use Blowfish if MCrypt is not available
|
||||||
|
else {
|
||||||
|
// generate iv and key for encryption
|
||||||
|
$key = "";
|
||||||
|
$iv = "";
|
||||||
|
while (strlen($key) < 30) $key .= mt_rand();
|
||||||
|
while (strlen($iv) < 30) $iv .= mt_rand();
|
||||||
|
}
|
||||||
|
|
||||||
// save both in cookie
|
// save both in cookie
|
||||||
setcookie("Key", base64_encode($key), 0, "/");
|
setcookie("Key", base64_encode($key), 0, "/");
|
||||||
|
|
@ -113,16 +121,8 @@ function display_LoginPage($config_object,$profile)
|
||||||
</table>
|
</table>
|
||||||
<hr><br><br>
|
<hr><br><br>
|
||||||
<?php
|
<?php
|
||||||
if(! function_exists('mcrypt_create_iv')) {
|
if ((! function_exists('mHash')) && (! function_exists('sha1'))) {
|
||||||
StatusMessage("ERROR", "Your PHP does not support MCrypt, you will not be able to log in! Please install the required package.","See http://lam.sf.net/documentation/faq.html#2 for Suse/RedHat");
|
StatusMessage("INFO", "Your PHP does not support MHash or sha1(), you will only be able to use CRYPT/PLAIN/MD5/SMD5 for user passwords!", "Please install MHash or update to PHP >4.3.");
|
||||||
?>
|
|
||||||
</body>
|
|
||||||
</html>
|
|
||||||
<?php
|
|
||||||
exit;
|
|
||||||
}
|
|
||||||
if(! function_exists('mHash')) {
|
|
||||||
StatusMessage("WARN", "Your PHP does not support MHash, you will only be able to use CRYPT/PLAIN for user passwords! Please install the required package.","See http://lam.sf.net/documentation/faq.html#2 for Suse/RedHat");
|
|
||||||
}
|
}
|
||||||
?>
|
?>
|
||||||
<p align="center">
|
<p align="center">
|
||||||
|
|
|
||||||
|
|
@ -161,8 +161,6 @@ switch ($select) {
|
||||||
echo _('Creating users. Please stand by ....');
|
echo _('Creating users. Please stand by ....');
|
||||||
echo "</b></legend>\n<table border=0 width=\"100%\">\n";
|
echo "</b></legend>\n<table border=0 width=\"100%\">\n";
|
||||||
// Keys needed to encrypt passwords from session
|
// Keys needed to encrypt passwords from session
|
||||||
$iv = base64_decode($_COOKIE["IV"]);
|
|
||||||
$key = base64_decode($_COOKIE["Key"]);
|
|
||||||
$stay=true;
|
$stay=true;
|
||||||
// Stay in loop as long there are still users to create and no error did ocour
|
// Stay in loop as long there are still users to create and no error did ocour
|
||||||
while (($_SESSION['pointer'] < sizeof($_SESSION['accounts'])) && $stay) {
|
while (($_SESSION['pointer'] < sizeof($_SESSION['accounts'])) && $stay) {
|
||||||
|
|
@ -227,8 +225,7 @@ switch ($select) {
|
||||||
$_SESSION['accounts'][$_SESSION['pointer']]->smb_profilePath = str_replace('$group', $_SESSION['accounts'][$_SESSION['pointer']]->general_group, $_SESSION['accounts'][$_SESSION['pointer']]->smb_profilePath);
|
$_SESSION['accounts'][$_SESSION['pointer']]->smb_profilePath = str_replace('$group', $_SESSION['accounts'][$_SESSION['pointer']]->general_group, $_SESSION['accounts'][$_SESSION['pointer']]->smb_profilePath);
|
||||||
$_SESSION['accounts'][$_SESSION['pointer']]->smb_smbhome = str_replace('$user', $_SESSION['accounts'][$_SESSION['pointer']]->general_username, $_SESSION['accounts'][$_SESSION['pointer']]->smb_smbhome);
|
$_SESSION['accounts'][$_SESSION['pointer']]->smb_smbhome = str_replace('$user', $_SESSION['accounts'][$_SESSION['pointer']]->general_username, $_SESSION['accounts'][$_SESSION['pointer']]->smb_smbhome);
|
||||||
$_SESSION['accounts'][$_SESSION['pointer']]->smb_smbhome = str_replace('$group', $_SESSION['accounts'][$_SESSION['pointer']]->general_group, $_SESSION['accounts'][$_SESSION['pointer']]->smb_smbhome);
|
$_SESSION['accounts'][$_SESSION['pointer']]->smb_smbhome = str_replace('$group', $_SESSION['accounts'][$_SESSION['pointer']]->general_group, $_SESSION['accounts'][$_SESSION['pointer']]->smb_smbhome);
|
||||||
$_SESSION['accounts'][$_SESSION['pointer']]->unix_password = base64_encode(mcrypt_encrypt(
|
$_SESSION['accounts'][$_SESSION['pointer']]->unix_password = base64_encode($_SESSION['ldap']->encrypt(genpasswd()));
|
||||||
MCRYPT_RIJNDAEL_256, $key, genpasswd(), MCRYPT_MODE_ECB, $iv));
|
|
||||||
$_SESSION['accounts'][$_SESSION['pointer']]->smb_password = $_SESSION['accounts'][$_SESSION['pointer']]->unix_password;
|
$_SESSION['accounts'][$_SESSION['pointer']]->smb_password = $_SESSION['accounts'][$_SESSION['pointer']]->unix_password;
|
||||||
// Only create user if we have at least 5sec time to create the user
|
// Only create user if we have at least 5sec time to create the user
|
||||||
if ( (time()-$time)<(get_cfg_var('max_execution_time')-10)) {
|
if ( (time()-$time)<(get_cfg_var('max_execution_time')-10)) {
|
||||||
|
|
@ -474,8 +471,6 @@ function loadfile() {
|
||||||
$profile->quota = array_values($profile->quota);
|
$profile->quota = array_values($profile->quota);
|
||||||
}
|
}
|
||||||
// Get keys to en/decrypt passwords
|
// Get keys to en/decrypt passwords
|
||||||
$iv = base64_decode($_COOKIE["IV"]);
|
|
||||||
$key = base64_decode($_COOKIE["Key"]);
|
|
||||||
for ($row=0; $line_array=fgetcsv($handle,2048); $row++) {
|
for ($row=0; $line_array=fgetcsv($handle,2048); $row++) {
|
||||||
// loops for every row
|
// loops for every row
|
||||||
// Set corrent user to profile
|
// Set corrent user to profile
|
||||||
|
|
@ -508,8 +503,7 @@ function loadfile() {
|
||||||
// Set DN without uid=$username
|
// Set DN without uid=$username
|
||||||
else $_SESSION['accounts'][$row]->general_dn = $_POST['f_general_suffix'];
|
else $_SESSION['accounts'][$row]->general_dn = $_POST['f_general_suffix'];
|
||||||
// Create Random Password
|
// Create Random Password
|
||||||
$_SESSION['accounts'][$row]->unix_password = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256,
|
$_SESSION['accounts'][$row]->unix_password = base64_encode($_SESSION['ldap']->encrypt(genpasswd()));
|
||||||
$key, genpasswd(), MCRYPT_MODE_ECB, $iv));
|
|
||||||
$_SESSION['accounts'][$row]->smb_password=$_SESSION['accounts'][$row]->unix_password;
|
$_SESSION['accounts'][$row]->smb_password=$_SESSION['accounts'][$row]->unix_password;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue