Set default password hashing algorithm to SHA512
If there is not a good reason to have MD5 as password hashing function it would be nice to set default password hashing algorithm to SHA512. It this is not possible make it at least possible to switch to it from config file.
I have a patch file which makes this possible. This sample is made with default number of rounds, but it's easy to add rounds parameter and make it much more secure.
-
Step - Update SQL tables client and sys_user: ALTER TABLE
client
CHANGEpassword
password
VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL; ALTER TABLEsys_user
CHANGEpasswort
passwort
VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT ''; -
This patch is made for 3.0.5.4p5:
diff -rupNB ispconfig/interface/lib/classes/auth.inc.php ispconfig-sha512/interface/lib/classes/auth.inc.php
--- ispconfig/interface/lib/classes/auth.inc.php 2014-11-16 01:42:20.000000000 +0000
+++ ispconfig-sha512/interface/lib/classes/auth.inc.php 2015-01-03 21:20:48.060287269 +0000
@@ -163,9 +163,9 @@ class auth {
}
public function crypt_password($cleartext_password) {
- $salt="$1$";
+ $salt="$6$";
$base64_alphabet='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
- for ($n=0;$n<8;$n++) {
+ for ($n=0;$n<12;$n++) {
$salt.=$base64_alphabet[mt_rand(0, 63)];
}
$salt.="$";
diff -rupNB ispconfig/interface/web/admin/users_edit.php ispconfig-sha512/interface/web/admin/users_edit.php
--- ispconfig/interface/web/admin/users_edit.php 2014-11-16 01:42:20.000000000 +0000
+++ ispconfig-sha512/interface/web/admin/users_edit.php 2015-01-03 21:20:57.223502200 +0000
@@ -113,9 +113,9 @@ class page_action extends tform_actions
// password changed
if(isset($conf['demo_mode']) && $conf['demo_mode'] != true && isset($this->dataRecord["passwort"]) && $this->dataRecord["passwort"] != '') {
$password = $app->db->quote($this->dataRecord["passwort"]);
- $salt="$1$";
+ $salt="$6$";
$base64_alphabet='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
- for ($n=0;$n<8;$n++) {
+ for ($n=0;$n<12;$n++) {
$salt.=$base64_alphabet[mt_rand(0, 63)];
}
$salt.="$";
diff -rupNB ispconfig/interface/web/client/client_edit.php ispconfig-sha512/interface/web/client/client_edit.php
--- ispconfig/interface/web/client/client_edit.php 2014-11-16 01:42:20.000000000 +0000
+++ ispconfig-sha512/interface/web/client/client_edit.php 2015-01-03 21:21:06.224713334 +0000
@@ -402,9 +402,9 @@ class page_action extends tform_actions
// password changed
if(isset($conf['demo_mode']) && $conf['demo_mode'] != true && isset($this->dataRecord["password"]) && $this->dataRecord["password"] != '') {
$password = $app->db->quote($this->dataRecord["password"]);
- $salt="$1$";
+ $salt="$6$";
$base64_alphabet='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
- for ($n=0;$n<8;$n++) {
+ for ($n=0;$n<12;$n++) {
$salt.=$base64_alphabet[mt_rand(0, 63)];
}
$salt.="$";
diff -rupNB ispconfig/interface/web/client/reseller_edit.php ispconfig-sha512/interface/web/client/reseller_edit.php
--- ispconfig/interface/web/client/reseller_edit.php 2014-11-16 01:42:20.000000000 +0000
+++ ispconfig-sha512/interface/web/client/reseller_edit.php 2015-01-03 21:21:21.999083346 +0000
@@ -219,9 +219,9 @@ class page_action extends tform_actions
$active = 1;
$language = $app->db->quote($this->dataRecord["language"]);
- $salt="$1$";
+ $salt="$6$";
$base64_alphabet='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
- for ($n=0;$n<8;$n++) {
+ for ($n=0;$n<12;$n++) {
$salt.=$base64_alphabet[mt_rand(0, 63)];
}
$salt.="$";
@@ -335,9 +335,9 @@ class page_action extends tform_actions
if(isset($conf['demo_mode']) && $conf['demo_mode'] != true && isset($this->dataRecord["password"]) && $this->dataRecord["password"] != '') {
$password = $app->db->quote($this->dataRecord["password"]);
$client_id = $this->id;
- $salt="$1$";
+ $salt="$6$";
$base64_alphabet='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
- for ($n=0;$n<8;$n++) {
+ for ($n=0;$n<12;$n++) {
$salt.=$base64_alphabet[mt_rand(0, 63)];
}
$salt.="$";
diff -rupNB ispconfig/interface/web/login/index.php ispconfig-sha512/interface/web/login/index.php
--- ispconfig/interface/web/login/index.php 2014-11-16 01:42:20.000000000 +0000
+++ ispconfig-sha512/interface/web/login/index.php 2015-01-03 22:10:53.058352035 +0000
@@ -165,7 +165,15 @@ class login_index {
$user = false;
if($mailuser) {
$saved_password = stripslashes($mailuser['password']);
- $salt = '$1$'.substr($saved_password, 3, 8).'$';
+// $salt = '$1$'.substr($saved_password, 3, 8).'$';
+ if(substr($saved_password, 0, 3) == '$1$') {
+ //* The password is crypt-md5 encrypted
+ $salt = '$1$'.substr($saved_password, 3, 8).'$';
+ } elseif(substr($saved_password, 0, 3) == '$6$') {
+ //* The password is crypt-sha512 encrypted
+ $salt = '$6$'.substr($saved_password, 3, 12).'$';
+ }
+
//* Check if mailuser password is correct
if(crypt(stripslashes($passwort), $salt) == $saved_password) {
//* we build a fake user here which has access to the mailuser module only and userid 0
@@ -203,6 +211,13 @@ class login_index {
} elseif(substr($saved_password, 0, 3) == '$5$') {
//* The password is crypt-sha256 encrypted
$salt = '$5$'.substr($saved_password, 3, 16).'$';
+// This is probably broken line. It should be: $salt = '$5$'.substr($saved_password, 3, 12).'$';
+ if(crypt(stripslashes($passwort), $salt) != $saved_password) {
+ $user = false;
+ }
+ } elseif(substr($saved_password, 0, 3) == '$6$') {
+ //* The password is crypt-sha512 encrypted
+ $salt = '$6$'.substr($saved_password, 3, 12).'$';
if(crypt(stripslashes($passwort), $salt) != $saved_password) {
$user = false;