Re: [Postfixadmin-devel] config.local.php not being read.
Brought to you by:
christian_boltz,
gingerdog
Menu
▾
▴
Re: [Postfixadmin-devel] config.local.php not being read.
|
From: David G. <da...@co...> - 2009-04-16 06:03:28
|
Christian Boltz wrote : > Hello, > > Am Dienstag, 14. April 2009 schrieb David Goodwin: > > > OK. Change to use md5/sha1/whatever (perhaps embed sha1: at the > > > start of the string??) > > > > Having a reasonable salt might be a good idea too - even if it is > > just something stupid like 'postfixadmin' > > Indeed, using a salt is always a good idea. However, I don't like the > static value. > > I just commited a modified version of setup.php (r629) which uses hashed > and salted passwords (sorry, no pepper ;-) > > The salt is a md5-hash computed from the remote IP, the time and a > random value. This might not be cyrptically perfect, but I doubt there > will be two postfixadmin installations using the same salt ;-) > (Of course, when checking against the password in config.inc.php, the > salt is read from $CONF.) > > The salt and the password are then hashed with sha1. > > If someone enters a wrong setup password, he will get the hash of > his/her password displayed copy&paste ready for inclusion in > config.inc.php. > > > Please proofread my code - this is highly security relevant, therefore > another pair of eyes are a good idea. Also test setup.php with valid > and invalid setup passwords. > > Note: I'll remove the check for $CONF['setup_password'] from common.php > again because: > - it's no longer really needed - no hashed password will result in > something simple like "changeme" or an empty string > - checking the setup_password in setup.php (the only place where it is > used) is enough > - blocking the whole postfixadmin just because the setup password has > not been set (= current behaviour) will cause lots of needless > problems if someone upgrades from a previous version. > - The admin _will_ setup a password for sure as soon as he needs to > create a super-admin via setup.php ;-) > - (if I missed an argument why to keep the check in common.php, please > speak up!) > > I also think that we no longer need to use the "developer hack" > $CONF['configured'] = 'I_know_the_risk_of_not_deleting_setup.php' > and should remove the code sections checking for it (index.php, > login.php). I agree. I'll try and review the code shortly; I did wonder if the setup_password would be better off stored in the database, and we just supply a trivial 'passwd' type script which (when run) allows 'root' to set/change it? At the very least, I suspect we need to make it easy for people to generate the hashed value.... else we'll have zillions of forum posts. David. -- David Goodwin [ david at codepoets dot co dot uk ] [ http://www.codepoets.co.uk ] |
