From b23002ad67f30927e0c831fe9a2b0f945d905163 Mon Sep 17 00:00:00 2001 From: Roland Gruber Date: Thu, 8 Nov 2007 19:19:50 +0000 Subject: [PATCH] hashed password --- lam/HISTORY | 6 ++++ lam/config/config.cfg_sample | 4 +-- lam/config/lam.conf_sample | 4 +-- lam/lib/config.inc | 48 +++++++++++++++++++++++------ lam/templates/config/confmain.php | 6 ++-- lam/templates/config/profmanage.php | 2 +- lam/tests/conf-test.php | 5 ++- 7 files changed, 55 insertions(+), 20 deletions(-) diff --git a/lam/HISTORY b/lam/HISTORY index cc39f108..2486e5e2 100644 --- a/lam/HISTORY +++ b/lam/HISTORY @@ -1,3 +1,9 @@ +??? 2.2.0 + - allow to switch sorting in the account lists + - use suffix from account list as default for new accounts (patch 1823583) + - Security: passwords in configuration files are now saved as hash values + + 07.11.2007 2.1.0 - tabular design for account pages - show DN on account pages diff --git a/lam/config/config.cfg_sample b/lam/config/config.cfg_sample index 120aed1c..7a4739c7 100644 --- a/lam/config/config.cfg_sample +++ b/lam/config/config.cfg_sample @@ -1,5 +1,5 @@ -# password to add/delete/rename configuration profiles -password: lam +# password to add/delete/rename configuration profiles (default: lam) +password: {SSHA}D6AaX93kPmck9wAxNlq3GF93S7A= R7gkjQ== # default profile, without ".conf" default: lam diff --git a/lam/config/lam.conf_sample b/lam/config/lam.conf_sample index fcf0d28e..958adb28 100644 --- a/lam/config/lam.conf_sample +++ b/lam/config/lam.conf_sample @@ -8,8 +8,8 @@ serverURL: ldap://localhost:389 # e.g. admins: cn=admin,dc=yourdomain,dc=org;cn=root,dc=yourdomain,dc=org admins: cn=Manager,dc=my-domain,dc=com -# password to change these preferences via webfrontend -passwd: lam +# password to change these preferences via webfrontend (default: lam) +passwd: {SSHA}RjBruJcTxZEdcBjPQdRBkDaSQeY= iueleA== # suffix of tree view # e.g. dc=yourdomain,dc=org diff --git a/lam/lib/config.inc b/lam/lib/config.inc index 21a2324d..503165cc 100644 --- a/lam/lib/config.inc +++ b/lam/lib/config.inc @@ -467,12 +467,23 @@ class LAMConfig { } /** - * Returns the password to access the preferences wizard - * - * @return string the password - */ - public function get_Passwd() { - return $this->Passwd; + * Checks if the given password matches. + * + * @param String $password + * @return boolean true, if matches + */ + public function check_Passwd($password) { + if (substr($this->Passwd, 0, 6) == "{SSHA}") { + // check hashed password + $value = substr($this->Passwd, 6); + $parts = explode(" ", $value); + $salt = base64_decode($parts[1]); + return ($this->hashPassword($password, $salt) === $this->Passwd); + } + else { + // old nonhashed password + return ($password === $this->Passwd); + } } /** @@ -482,9 +493,28 @@ class LAMConfig { * @return boolean true if $value has correct format */ public function set_Passwd($value) { - if (is_string($value)) $this->Passwd = $value; - else return false; - return true; + if (is_string($value)) { + mt_srand((microtime() * 1000000)); + $rand = mt_rand(); + $salt0 = substr(pack("h*", md5($rand)), 0, 8); + $salt = substr(pack("H*", sha1($salt0 . $value)), 0, 4); + $this->Passwd = $this->hashPassword($value, $salt); + return true; + } + else { + return false; + } + } + + /** + * Returns the hashed password. + * + * @param String $password password + * @param String $salt salt + * @return String hash value + */ + private function hashPassword($password, $salt) { + return "{SSHA}" . base64_encode(hex2bin(sha1($password . $salt))) . " " . base64_encode($salt); } /** diff --git a/lam/templates/config/confmain.php b/lam/templates/config/confmain.php index 4264b751..8ba87281 100644 --- a/lam/templates/config/confmain.php +++ b/lam/templates/config/confmain.php @@ -45,11 +45,10 @@ setlanguage(); // get password if (isset($_POST['passwd'])) $passwd = $_POST['passwd']; -if (isset($_GET["modulesback"]) || isset($_GET["typesback"])) $passwd = $_SESSION['conf_config']->get_Passwd(); // check if password was entered // if not: load login page -if (! $passwd) { +if (!$passwd && !isset($_SESSION['conf_isAuthenticated'])) { $_SESSION['conf_message'] = _("No password was entered!"); /** go back to login if password is empty */ require('conflogin.php'); @@ -63,7 +62,7 @@ $conf = &$_SESSION['conf_config']; // check if password is valid // if not: load login page -if (!(($conf->get_Passwd()) == $passwd)) { +if (!$conf->check_Passwd($passwd) && !($_SESSION['conf_isAuthenticated'] === $conf->file)) { $sessionKeys = array_keys($_SESSION); for ($i = 0; $i < sizeof($sessionKeys); $i++) { if (substr($sessionKeys[$i], 0, 5) == "conf_") unset($_SESSION[$sessionKeys[$i]]); @@ -73,6 +72,7 @@ if (!(($conf->get_Passwd()) == $passwd)) { require('conflogin.php'); exit; } +$_SESSION['conf_isAuthenticated'] = $conf->file; // check if button was pressed and if we have to save the setting or go back to login if (isset($_POST['back']) || isset($_POST['submitconf']) || isset($_POST['editmodules']) || isset($_POST['edittypes'])){ diff --git a/lam/templates/config/profmanage.php b/lam/templates/config/profmanage.php index 4f81f3a4..1a92ad0e 100644 --- a/lam/templates/config/profmanage.php +++ b/lam/templates/config/profmanage.php @@ -79,7 +79,7 @@ if ($_POST['submit']) { if ($file) { // load as config and write new password $conf = new LAMConfig($_POST['addprofile']); - $conf->Passwd = $_POST['addpassword']; + $conf->set_Passwd($_POST['addpassword']); $conf->save(); $msg = _("Created new profile."); } diff --git a/lam/tests/conf-test.php b/lam/tests/conf-test.php index 94190a34..0c9bbc44 100644 --- a/lam/tests/conf-test.php +++ b/lam/tests/conf-test.php @@ -39,7 +39,6 @@ echo ("

Starting Test...

"); echo ("Loading preferences..."); $ServerURL = $conf->get_ServerURL(); $cachetimeout = $conf->get_cacheTimeout(); -$Passwd = $conf->get_Passwd(); $Adminstring = $conf->get_Adminstring(); $Suff_users = $conf->get_Suffix('user'); $Suff_groups = $conf->get_Suffix('group'); @@ -81,7 +80,7 @@ echo ("Loading and comparing..."); $conf2 = new LAMConfig('test'); if ($conf2->get_ServerURL() != "ldap://123.345.678.123:777") echo ("
Saving ServerURL failed!
"); if ($conf2->get_cacheTimeout() != "33") echo ("
Saving Cache timeout failed!
"); -if ($conf2->get_Passwd() != "123456abcde") echo ("
Saving password failed!
"); +if (!$conf2->check_Passwd("123456abcde")) echo ("
Saving password failed!
"); if ($conf2->get_Adminstring() != "uid=test,o=test,dc=org;uid=root,o=test2,c=de") echo ("
Saving admin string failed!
"); if ($conf2->get_Suffix('user') != "ou=test,o=test,c=de") echo ("
Saving user suffix failed!
"); if ($conf2->get_Suffix('group') != "ou=testgrp,o=test,c=de") echo ("
Saving group suffix failed!
"); @@ -102,7 +101,7 @@ echo ("done
"); echo ("Restoring old preferences..."); $conf2->set_ServerURL($ServerURL); $conf2->set_cacheTimeout($cachetimeout); -$conf2->set_Passwd($Passwd); +$conf2->set_Passwd('lam'); $conf2->set_Adminstring($Adminstring); $conf2->set_Suffix('user', $Suff_users); $conf2->set_Suffix('group', $Suff_groups);