diff --git a/lam/config/lam.conf_sample b/lam/config/lam.conf_sample
index 9b56289d..341a16c6 100644
--- a/lam/config/lam.conf_sample
+++ b/lam/config/lam.conf_sample
@@ -71,4 +71,6 @@ modules: posixAccount_minMachine: 50000
modules: posixAccount_maxMachine: 60000
modules: posixGroup_minGID: 10000
modules: posixGroup_maxGID: 20000
+modules: posixGroup_pwdHash: SSHA
+modules: posixAccount_pwdHash: SSHA
diff --git a/lam/lib/account.inc b/lam/lib/account.inc
index 109876f9..fa80b4e6 100644
--- a/lam/lib/account.inc
+++ b/lam/lib/account.inc
@@ -179,4 +179,94 @@ function ntPassword($password) {
return exec(escapeshellarg($_SESSION['lampath'] . 'lib/createntlm.pl') . " nt " . escapeshellarg($password));
}
+/**
+* Returns the hash value of a plain text password
+* the hash algorithm depends on the configuration file
+*
+* @param string $password the password string
+* @param boolean $enabled marks the hash as enabled/disabled (e.g. by prefixing "!")
+* @param string $hashType password hash type (CRYPT, SHA, SSHA, MD5, SMD5, PLAIN)
+* @return string the password hash
+*/
+function pwd_hash($password, $enabled = true, $hashType = 'SSHA') {
+ // check for empty password
+ if (! $password || ($password == "")) {
+ return "";
+ }
+ // calculate new random number
+ $_SESSION['ldap']->new_rand();
+ $hash = "";
+ switch ($hashType) {
+ case 'CRYPT':
+ $hash = "{CRYPT}" . crypt($password);
+ break;
+ case 'MD5':
+ $hash = "{MD5}" . base64_encode(hex2bin(md5($password)));
+ break;
+ case 'SMD5':
+ $salt0 = substr(pack("h*", md5($_SESSION['ldap']->rand)), 0, 8);
+ $salt = substr(pack("H*", md5($salt0 . $password)), 0, 4);
+ $hash = "{SMD5}" . base64_encode(hex2bin(md5($password . $salt)) . $salt);
+ break;
+ case 'SHA':
+ // PHP 4.3+ can use sha1() function
+ if (function_exists(sha1)) {
+ $hash = "{SHA}" . base64_encode(hex2bin(sha1($password)));
+ }
+ // otherwise use MHash
+ elseif (function_exists(mHash)) {
+ $hash = "{SHA}" . base64_encode(mHash(MHASH_SHA1, $password));
+ }
+ // if SHA1 is not possible use crypt()
+ else {
+ $hash = "{CRYPT}" . crypt($password);
+ }
+ break;
+ case 'SSHA':
+ // PHP 4.3+ can use sha1() function
+ if (function_exists(sha1)) {
+ $salt0 = substr(pack("h*", md5($_SESSION['ldap']->rand)), 0, 8);
+ $salt = substr(pack("H*", sha1($salt0 . $password)), 0, 4);
+ $hash = "{SSHA}" . base64_encode(hex2bin(sha1($password . $salt)) . $salt);
+ }
+ // otherwise use MHash
+ elseif (function_exists(mHash)) {
+ $salt = mhash_keygen_s2k(MHASH_SHA1, $password, substr(pack("h*", md5($_SESSION['ldap']->rand)), 0, 8), 4);
+ $hash = base64_encode(mHash(MHASH_SHA1, $password . $salt) . $salt);
+ $hash = "{SSHA}" . $hash;
+ }
+ // if SSHA is not possible use crypt()
+ else {
+ $hash = "{CRYPT}" . crypt($password);
+ }
+ break;
+ case 'PLAIN':
+ $hash = $password;
+ break;
+ // use SSHA if the setting is invalid
+ default:
+ // PHP 4.3+ can use sha1() function
+ if (function_exists(sha1)) {
+ $salt0 = substr(pack("h*", md5($_SESSION['ldap']->rand)), 0, 8);
+ $salt = substr(pack("H*", sha1($salt0 . $password)), 0, 4);
+ $hash = "{SSHA}" . base64_encode(hex2bin(sha1($password . $salt)) . $salt);
+ }
+ // otherwise use MHash
+ elseif (function_exists(mHash)) {
+ $salt = mhash_keygen_s2k(MHASH_SHA1, $password, substr(pack("h*", md5($_SESSION['ldap']->rand)), 0, 8), 4);
+ $hash = base64_encode(mHash(MHASH_SHA1, $password . $salt) . $salt);
+ $hash = "{SSHA}" . $hash;
+ }
+ // if SSHA is not possible use crypt()
+ else {
+ $hash = "{CRYPT}" . crypt($password);
+ }
+ break;
+ }
+ // enable/disable password
+ if (! $enabled) return pwd_disable($hash);
+ else return $hash;
+}
+
+
?>
diff --git a/lam/lib/config.inc b/lam/lib/config.inc
index b085cc14..473b3aa4 100644
--- a/lam/lib/config.inc
+++ b/lam/lib/config.inc
@@ -154,9 +154,6 @@ class Config {
/** LDAP cache timeout */
var $cachetimeout;
- /** Password hash algorithm */
- var $pwdhash;
-
/**
* Account modules
* TODO add default modules for LAM <0.5
@@ -171,7 +168,7 @@ class Config {
/** List of all settings in config file */
var $settings = array("ServerURL", "Passwd", "Admins", "usersuffix", "groupsuffix", "hostsuffix",
"domainsuffix", "userlistAttributes", "grouplistAttributes", "hostlistAttributes", "maxlistentries",
- "defaultLanguage", "scriptPath", "scriptServer", "cachetimeout", "pwdhash",
+ "defaultLanguage", "scriptPath", "scriptServer", "cachetimeout",
"usermodules", "groupmodules", "hostmodules", "modules");
@@ -293,7 +290,6 @@ class Config {
if (!in_array("scriptPath", $saved)) array_push($file_array, "\n\n# Path to external Script\n" . "scriptPath: " . $this->scriptPath . "\n");
if (!in_array("scriptServer", $saved)) array_push($file_array, "\n\n# Server of external Script\n" . "scriptServer: " . $this->scriptServer . "\n");
if (!in_array("cachetimeout", $saved)) array_push($file_array, "\n\n# Number of minutes LAM caches LDAP searches.\n" . "cacheTimeout: " . $this->cachetimeout . "\n");
- if (!in_array("pwdhash", $saved)) array_push($file_array, "\n\n# Password hash algorithm (CRYPT/MD5/SMD5/SHA/SSHA/PLAIN).\n" . "pwdhash: " . $this->pwdhash . "\n");
if (!in_array("usermodules", $saved)) array_push($file_array, "\n\n# List of used user modules\n" . "usermodules: " . $this->usermodules . "\n");
if (!in_array("groupmodules", $saved)) array_push($file_array, "\n\n# List of used group modules\n" . "groupmodules: " . $this->groupmodules . "\n");
if (!in_array("hostmodules", $saved)) array_push($file_array, "\n\n# List of used host modules\n" . "hostmodules: " . $this->hostmodules . "\n");
@@ -320,7 +316,6 @@ class Config {
/** Prints current preferences */
function printconf() {
echo "" . _("Server address") . ": " . $this->ServerURL . "
\n";
- echo "" . _("Password hash type") . ": " . $this->pwdhash . "
\n";
echo "" . _("Cache timeout") . ": " . $this->cachetimeout . "
\n";
echo "" . _("UserSuffix") . ": " . $this->usersuffix . "
\n";
echo "" . _("GroupSuffix") . ": " . $this->groupsuffix . "
\n";
@@ -714,30 +709,6 @@ class Config {
return true;
}
- /**
- * Returns the password hash type
- *
- * @return password hash
- */
- function get_pwdhash() {
- if ($this->pwdhash) return strtoupper($this->pwdhash);
- else return "SSHA";
- }
-
- /**
- * Sets the password hash type (CRYPT/SHA/SSHA/MD5/SMD5)
- *
- * @param $value new password hash algorithm
- * @return true if $value has correct format
- */
- function set_pwdhash($value) {
- if (is_string($value) && eregi("^(crypt|sha|ssha|md5|smd5|plain)$", $value)) {
- $this->pwdhash = $value;
- }
- else return false;
- return true;
- }
-
/**
* Returns an array of all selected user modules
*
diff --git a/lam/lib/ldap.inc b/lam/lib/ldap.inc
index f596f3a7..4a24b4e5 100644
--- a/lam/lib/ldap.inc
+++ b/lam/lib/ldap.inc
@@ -43,96 +43,6 @@ function hex2bin($value) {
return pack("H*", $value);
}
-/**
-* Returns the hash value of a plain text password
-* the hash algorithm depends on the configuration file
-*
-* @param string $password the password string
-* @param boolean $enabled marks the hash as enabled/disabled (e.g. by prefixing "!")
-* @return string the password hash
-*/
-function pwd_hash($password, $enabled=true) {
- // check for empty password
- if (! $password || ($password == "")) {
- return "";
- }
- // calculate new random number
- $_SESSION['ldap']->new_rand();
- // hash password with algorithm from config file
- $hash = "";
- switch ($_SESSION['config']->get_pwdhash()) {
- case 'CRYPT':
- $hash = "{CRYPT}" . crypt($password);
- break;
- case 'MD5':
- $hash = "{MD5}" . base64_encode(hex2bin(md5($password)));
- break;
- case 'SMD5':
- $salt0 = substr(pack("h*", md5($_SESSION['ldap']->rand)), 0, 8);
- $salt = substr(pack("H*", md5($salt0 . $password)), 0, 4);
- $hash = "{SMD5}" . base64_encode(hex2bin(md5($password . $salt)) . $salt);
- break;
- case 'SHA':
- // PHP 4.3+ can use sha1() function
- if (function_exists(sha1)) {
- $hash = "{SHA}" . base64_encode(hex2bin(sha1($password)));
- }
- // otherwise use MHash
- elseif (function_exists(mHash)) {
- $hash = "{SHA}" . base64_encode(mHash(MHASH_SHA1, $password));
- }
- // if SHA1 is not possible use crypt()
- else {
- $hash = "{CRYPT}" . crypt($password);
- }
- break;
- case 'SSHA':
- // PHP 4.3+ can use sha1() function
- if (function_exists(sha1)) {
- $salt0 = substr(pack("h*", md5($_SESSION['ldap']->rand)), 0, 8);
- $salt = substr(pack("H*", sha1($salt0 . $password)), 0, 4);
- $hash = "{SSHA}" . base64_encode(hex2bin(sha1($password . $salt)) . $salt);
- }
- // otherwise use MHash
- elseif (function_exists(mHash)) {
- $salt = mhash_keygen_s2k(MHASH_SHA1, $password, substr(pack("h*", md5($_SESSION['ldap']->rand)), 0, 8), 4);
- $hash = base64_encode(mHash(MHASH_SHA1, $password . $salt) . $salt);
- $hash = "{SSHA}" . $hash;
- }
- // if SSHA is not possible use crypt()
- else {
- $hash = "{CRYPT}" . crypt($password);
- }
- break;
- case 'PLAIN':
- $hash = $password;
- break;
- // use SSHA if the setting is invalid
- default:
- // PHP 4.3+ can use sha1() function
- if (function_exists(sha1)) {
- $salt0 = substr(pack("h*", md5($_SESSION['ldap']->rand)), 0, 8);
- $salt = substr(pack("H*", sha1($salt0 . $password)), 0, 4);
- $hash = "{SSHA}" . base64_encode(hex2bin(sha1($password . $salt)) . $salt);
- }
- // otherwise use MHash
- elseif (function_exists(mHash)) {
- $salt = mhash_keygen_s2k(MHASH_SHA1, $password, substr(pack("h*", md5($_SESSION['ldap']->rand)), 0, 8), 4);
- $hash = base64_encode(mHash(MHASH_SHA1, $password . $salt) . $salt);
- $hash = "{SSHA}" . $hash;
- }
- // if SSHA is not possible use crypt()
- else {
- $hash = "{CRYPT}" . crypt($password);
- }
- break;
- }
- // enable/disable password
- if (! $enabled) return pwd_disable($hash);
- else return $hash;
-}
-
-
/**
* Marks an password hash as enabled and returns the new hash string
*
diff --git a/lam/lib/modules/posixAccount.inc b/lam/lib/modules/posixAccount.inc
index 33716a63..f5648b8a 100644
--- a/lam/lib/modules/posixAccount.inc
+++ b/lam/lib/modules/posixAccount.inc
@@ -117,6 +117,16 @@ class posixAccount extends baseModule {
4 => array('kind' => 'input', 'name' => 'posixAccount_maxMachine', 'type' => 'text', 'size' => '10', 'maxlength' => '255'),
5 => array('kind' => 'help', 'value' => 'TODO'))
);
+ $return['config_options']['all'] = array(
+ array(
+ 0 => array('kind' => 'text', 'text' => '' . _("Password hash type") . ': '),
+ 1 => array('kind' => 'select', 'name' => 'posixAccount_pwdHash', 'size' => '1',
+ 'options' => array("CRYPT", "SHA", "SSHA", "MD5", "SMD5", "PLAIN"), 'options_selected' => array('SSHA')),
+ 2 => array('kind' => 'text', 'value' => ' '),
+ 3 => array('kind' => 'text', 'value' => ' '),
+ 4 => array('kind' => 'text', 'value' => ' '),
+ 5 => array('kind' => 'help', 'value' => 'TODO'))
+ );
// configuration descriptions
$return['config_descriptions'] = array(
'legend' => _("UID ranges for Unix accounts"),
@@ -125,6 +135,7 @@ class posixAccount extends baseModule {
'posixAccount_maxUID' => _("Maximum UID number for Unix accounts (users)"),
'posixAccount_minMachine' => _("Minimum UID number for Unix accounts (hosts)"),
'posixAccount_maxMachine' => _("Maximum UID number for Unix accounts (hosts)"),
+ 'posixAccount_pwdHash' => _("Password hash type"),
)
);
return $return;
@@ -314,15 +325,15 @@ class posixAccount extends baseModule {
if (count($this->orig['userPassword'])==0) {
// New user or no old password set
if ($this->userPassword_no) {
- $return[$_SESSION[$this->base]->dn]['modify']['userPassword'][0] = pwd_hash ('', !$this->userPassword_lock);
+ $return[$_SESSION[$this->base]->dn]['modify']['userPassword'][0] = pwd_hash('', !$this->userPassword_lock, $this->moduleSettings['posixAccount_pwdHash'][0]);
}
- else $return[$_SESSION[$this->base]->dn]['modify']['userPassword'][0] = utf8_encode(pwd_hash ($this->userPassword(), !$this->userPassword_lock));
+ else $return[$_SESSION[$this->base]->dn]['modify']['userPassword'][0] = utf8_encode(pwd_hash($this->userPassword(), !$this->userPassword_lock, $this->moduleSettings['posixAccount_pwdHash'][0]));
}
else {
if (($this->attributes['userPassword'][0] != $this->orig['userPassword'][0] && $this->userPassword()!='' ) || $this->userPassword_no) {
// Write new password
- if ($this->userPassword_no) $return[$_SESSION[$this->base]->dn]['modify']['userPassword'][0] = pwd_hash ('', !$this->userPassword_lock);
- else $return[$_SESSION[$this->base]->dn]['modify']['userPassword'][0] = utf8_encode(pwd_hash ($this->userPassword(), !$this->userPassword_lock));
+ if ($this->userPassword_no) $return[$_SESSION[$this->base]->dn]['modify']['userPassword'][0] = pwd_hash('', !$this->userPassword_lock, $this->moduleSettings['posixAccount_pwdHash'][0]);
+ else $return[$_SESSION[$this->base]->dn]['modify']['userPassword'][0] = utf8_encode(pwd_hash($this->userPassword(), !$this->userPassword_lock, $this->moduleSettings['posixAccount_pwdHash'][0]));
}
else { // No new password but old password
// (un)lock password
diff --git a/lam/lib/modules/posixGroup.inc b/lam/lib/modules/posixGroup.inc
index bfebd1a2..d3d80b99 100644
--- a/lam/lib/modules/posixGroup.inc
+++ b/lam/lib/modules/posixGroup.inc
@@ -95,12 +95,23 @@ class posixGroup extends baseModule {
4 => array('kind' => 'input', 'name' => 'posixGroup_maxGID', 'type' => 'text', 'size' => '10', 'maxlength' => '255'),
5 => array('kind' => 'help', 'value' => 'TODO'))
);
+ $return['config_options']['all'] = array(
+ array(
+ 0 => array('kind' => 'text', 'text' => '' . _("Password hash type") . ': '),
+ 1 => array('kind' => 'select', 'name' => 'posixGroup_pwdHash', 'size' => '1',
+ 'options' => array("CRYPT", "SHA", "SSHA", "MD5", "SMD5", "PLAIN"), 'options_selected' => array('SSHA')),
+ 2 => array('kind' => 'text', 'value' => ' '),
+ 3 => array('kind' => 'text', 'value' => ' '),
+ 4 => array('kind' => 'text', 'value' => ' '),
+ 5 => array('kind' => 'help', 'value' => 'TODO'))
+ );
// configuration descriptions
$return['config_descriptions'] = array(
'legend' => _("GID ranges for Unix groups"),
'descriptions' => array(
'posixGroup_minGID' => _("Minimum GID number for Unix groups"),
'posixGroup_maxGID' => _("Maximum GID number for Unix groups"),
+ 'posixGroup_pwdHash' => _("Password hash type"),
)
);
// configuration checks
@@ -269,15 +280,15 @@ class posixGroup extends baseModule {
if (count($this->orig['userPassword'])==0) {
// New user or no old password set
if ($this->userPassword_no) {
- $return[$_SESSION[$this->base]->dn]['modify']['userPassword'][0] = pwd_hash ('', !$this->userPassword_lock);
+ $return[$_SESSION[$this->base]->dn]['modify']['userPassword'][0] = pwd_hash('', !$this->userPassword_lock, $this->moduleSettings['posixGroup_pwdHash'][0]);
}
- else $return[$_SESSION[$this->base]->dn]['modify']['userPassword'][0] = utf8_encode(pwd_hash ($this->userPassword(), !$this->userPassword_lock));
+ else $return[$_SESSION[$this->base]->dn]['modify']['userPassword'][0] = utf8_encode(pwd_hash($this->userPassword(), !$this->userPassword_lock, $this->moduleSettings['posixGroup_pwdHash'][0]));
}
else {
if (($this->attributes['userPassword'][0] != $this->orig['userPassword'][0] && $this->userPassword()!='' ) || $this->userPassword_no) {
// Write new password
- if ($this->userPassword_no) $return[$_SESSION[$this->base]->dn]['modify']['userPassword'][0] = pwd_hash ('', !$this->userPassword_lock);
- else $return[$_SESSION[$this->base]->dn]['modify']['userPassword'][0] = utf8_encode(pwd_hash ($this->userPassword(), !$this->userPassword_lock));
+ if ($this->userPassword_no) $return[$_SESSION[$this->base]->dn]['modify']['userPassword'][0] = pwd_hash('', !$this->userPassword_lock, $this->moduleSettings['posixGroup_pwdHash'][0]);
+ else $return[$_SESSION[$this->base]->dn]['modify']['userPassword'][0] = utf8_encode(pwd_hash($this->userPassword(), !$this->userPassword_lock, $this->moduleSettings['posixGroup_pwdHash'][0]));
}
else { // No new password but old password
// (un)lock password
diff --git a/lam/templates/config/conflogin.php b/lam/templates/config/conflogin.php
index 8001cedc..62ed2cf6 100644
--- a/lam/templates/config/conflogin.php
+++ b/lam/templates/config/conflogin.php
@@ -57,7 +57,6 @@ unset($_SESSION['conf_maxlistentries']);
unset($_SESSION['conf_lang']);
unset($_SESSION['conf_scriptpath']);
unset($_SESSION['conf_scriptserver']);
-unset($_SESSION['conf_pwdhash']);
unset($_SESSION['conf_filename']);
echo $_SESSION['header'];
diff --git a/lam/templates/config/confmain.php b/lam/templates/config/confmain.php
index a612810e..5972053e 100644
--- a/lam/templates/config/confmain.php
+++ b/lam/templates/config/confmain.php
@@ -62,7 +62,6 @@ if ($_POST['back'] || $_POST['submitconf'] || $_POST['editmodules']){
$_SESSION['conf_hstlstattr'] = $_POST['hstlstattr'];
$_SESSION['conf_maxlistentries'] = $_POST['maxlistentries'];
$_SESSION['conf_lang'] = $_POST['lang'];
- $_SESSION['conf_pwdhash'] = $_POST['pwdhash'];
$_SESSION['conf_scriptpath'] = $_POST['scriptpath'];
$_SESSION['conf_scriptserver'] = $_POST['scriptserver'];
$_SESSION['conf_usermodules'] = explode(",", $_POST['usermodules']);
@@ -130,7 +129,6 @@ if ($_GET["modulesback"] == "true") {
$conf->set_defaultLanguage($_SESSION['conf_lang']);
$conf->set_scriptpath($_SESSION['conf_scriptpath']);
$conf->set_scriptserver($_SESSION['conf_scriptserver']);
- $conf->set_pwdhash($_SESSION['conf_pwdhash']);
// check if modules were edited
if ($_GET["moduleschanged"] == "true") {
$conf->set_UserModules($_SESSION['conf_usermodules']);
@@ -187,22 +185,6 @@ echo ("