#63 User password change in Userportal doesn't work correctly when passwords are encrypted

[Anonymous]

Hi,

I think there is still a bug in the user password changing section of the Daloradius Userportal when using encrypted passwords (unless I'm doing something stupid which is always possible!). Below is a workflow to demonstrate. I'm using Daloradius version 0.9-9 and I've also tried the latest code in the svn trunk which contains the altered code from a previous issue (Support Request #17). User password changing works fine when using cleartext passwords but if you use MD5-Password or Unix-Crypt then there is a problem.

Firstly, login to Daloradius as administrator and set the encryption type:
In Config => User Settings: DB Password Encryption Type = md5

Then create a user:
Username: alan1
Password: password1
Password Type: MD5-Password

(And allow this user to access the Daloradius Userportal.)

Go into mysql and examine the radcheck table to see what it's added as a password:

mysql> select * from radcheck;
+----+----------+--------------+----+----------------------------------+
| id | username | attribute | op | value |
+----+----------+--------------+----+----------------------------------+
| 10 | alan1 | MD5-Password | := | 7c6a180b36896a0a8c02787eeafb0e4c |
+----+----------+--------------+----+----------------------------------+

All looks good so far.

This new user (alan1) now logs into the Daloradius Userportal and tries to change their auth password:
In Preferences => Change Auth Password:
Current Password: password1
New Password: password2

This fails with the message: "Failed updating authentication password, possibly wrong password entered for user: alan1"

The only way I can get the password change to work is by pasting the MD5 hash into the Current Password field, i.e.
Current Password: 7c6a180b36896a0a8c02787eeafb0e4c
New Password: password2

This is accepted i.e. get the message "Updated password for user: alan1"

If you then go into mysql and examine the radcheck table again:

mysql> select * from radcheck;
+----+----------+--------------+----+-----------+
| id | username | attribute | op | value |
+----+----------+--------------+----+-----------+
| 10 | alan1 | MD5-Password | := | password2 |
+----+----------+--------------+----+-----------+

So, something not quite right here!

It looks like it's not encrypting the entered current password before checking it against the entry in the mysql radcheck table, and is not encrypting the new password before writing it to the radcheck table.

Alan

[Liran Tal]

Hey Alan,

I'm not sure about MD5 as I didn't go deep into that but I did noticed that I forgot to add the salt to MySQL's ENCRYPT() function on the creation of a new user so I just commited to svn a fix for that. Please check that with the crypt password type and setting also on daloradius.conf.php and this should be fine.

Also, as I noted in my earlier fix for this, it will only work for newly created crypt accounts.

[Anonymous]

Hi Liran,

Thanks for the reply. I have managed to put in a bodge which gets around the problem i.e. it encrypts the new password you've just entered before checking against the stored (encrypted) password, and then encrypts the new password you've just entered before saving it to the database. I've not thoroughly checked it against cleartext and crypt options yet so don't want to officially submit my changes until I've had some time to do this (and make sure I've not broken anything else). Will (hopefully!) get the chance to do this soon.

Alan

[Liran Tal]

Cool, thanks Alan!