From: Cleber P. de S. <cle...@gm...> - 2007-06-07 17:06:55
|
Hi list, I did some changes in change_ldappass plugin because this module didn't treat properly SSHA password hashes. How can I contribute this piece of code? I tryed contact fo...@sh... but I didn't get an answer. I also think about some other minor changes in the code to improve password restrictions. Thanks, -- *** Cleber P. de Souza |
From: Alexandros F. <al...@ec...> - 2007-06-07 17:40:09
|
On Thu, June 7, 2007 8:06 pm, Cleber P. de Souza wrote: > Hi list, > > > I did some changes in change_ldappass plugin because this module > didn't treat properly SSHA password hashes. How can I contribute this piece > of code? I tryed contact fo...@sh... but I didn't get an answer. I > also think about some other minor changes in the code to improve password > restrictions. > > Thanks, > > > -- > *** > Cleber P. de Souza > > I had similar problems with SSHA passwords. In functions.php i replaced if ($lpass != $cpass) with if (strcmp($lpass,$cpass)) and it works now :) Alexandros -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. |
From: Cleber P. de S. <cle...@gm...> - 2007-06-07 18:02:31
|
The problem with SSHA is that each time you set a SSHA password-hash they are different. (try slappasswd twice for the same password). I think you misunderstood the strcmp funcion, because 'if (strcmp($lpass,$cpass))' always will return true because $ldap and $cpass are different. Look the manual: http://www.php.net/manual/en/function.strcmp.php The piece of code I did treat SSHA in a different way. I'll also verify how other hashes work to correct this in the code. Some other points I'll change soon wll be the password policies to follow the system security defined by administrators and also verify the password strenght against dictionaries. Thanks, On 6/7/07, Alexandros Fragkiadakis <al...@ec...> wrote: > On Thu, June 7, 2007 8:06 pm, Cleber P. de Souza wrote: > > Hi list, > > > > > > I did some changes in change_ldappass plugin because this module > > didn't treat properly SSHA password hashes. How can I contribute this piece > > of code? I tryed contact fo...@sh... but I didn't get an answer. I > > also think about some other minor changes in the code to improve password > > restrictions. > > > > Thanks, > > > > > > -- > > *** > > Cleber P. de Souza > > > > > > I had similar problems with SSHA passwords. In functions.php i replaced > if ($lpass != $cpass) > > with > > if (strcmp($lpass,$cpass)) > > and it works now :) > > > Alexandros > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > -- > squirrelmail-plugins mailing list > Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines > List Address: squ...@li... > List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.plugins > List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=3931 > List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-plugins > -- *** Cleber P. de Souza |
From: Tomas K. <to...@us...> - 2007-06-10 16:56:33
|
> I did some changes in change_ldappass plugin because this module > didn't treat properly SSHA password hashes. Please prove that ssha passwords are not handled correctly or provide information that allows to reproduce it. Plugin does not use strcmp function to verify passwords and password hash must be the same, if same salt is used. If same password is encoded differently with same salt, code can't verify password. Please note that your setup is safer, if plugin does not have to verify passwords internally. If plugin does that, you are storing administrative passwords in plaintext configuration file. Password can be verified by successful bind with user's DN. -- Tomas |
From: Cleber P. de S. <cle...@gm...> - 2007-06-10 17:26:10
|
Hi Tomas, > Please prove that ssha passwords are not handled correctly or provide > information that allows to reproduce it. If you try slappasswd against the same password twice you'll notice that both hashes are differents: [root@server ~]# slappasswd New password: senha Re-enter new password: senha {SSHA}vKDSAsTVxou79jz9vuCRvEJW1Om+vPNj [root@server ~]# slappasswd New password: senha Re-enter new password: senha {SSHA}8i5aZqW3SZa/ybA9rfU5ntuHxNJqKWH1 > Plugin does not use strcmp function to verify passwords and password hash must > be the same, if same salt is used. If same password is encoded differently with > same salt, code can't verify password. > > Please note that your setup is safer, if plugin does not have to verify > passwords internally. If plugin does that, you are storing administrative > passwords in plaintext configuration file. Password can be verified by > successful bind with user's DN. > > -- > Tomas > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > -- > squirrelmail-plugins mailing list > Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines > List Address: squ...@li... > List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.plugins > List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=3931 > List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-plugins > -- *** Cleber P. de Souza |
From: Tomas K. <to...@us...> - 2007-06-10 18:36:10
|
>> Please prove that ssha passwords are not handled correctly or provide >> information that allows to reproduce it. > > If you try slappasswd against the same password twice you'll notice > that both hashes are differents: > [root@server ~]# slappasswd > New password: senha > Re-enter new password: senha > {SSHA}vKDSAsTVxou79jz9vuCRvEJW1Om+vPNj > [root@server ~]# slappasswd > New password: senha > Re-enter new password: senha > {SSHA}8i5aZqW3SZa/ybA9rfU5ntuHxNJqKWH1 "if same salt is used". You are not setting salt in your slappasswd calls. Program generates new salt everytime you call it and hashes are different. <?php // Test password script // hash from password string $orig_hash = 'vKDSAsTVxou79jz9vuCRvEJW1Om+vPNj'; // get salt from original hash $salt = substr(base64_decode($orig_hash),20); // create new hash $new_hash = base64_encode(pack("H*",sha1('senha' . $salt)) . $salt); // true or false var_dump($orig_hash == $new_hash); ?> There is only one difference between slappasswd and change_ldappass password generation. plugin does not pack salt into binary string. After plugin sets new password, it still can authenticate with OpenLDAP server. So it is not an issue for OpenLDAP authentication system. -- Tomas |
From: Cleber P. de S. <cle...@gm...> - 2007-06-10 22:32:28
|
Thanks by your explanation. I'll check the openldap for ways to set the salt. On 6/10/07, Tomas Kuliavas <to...@us...> wrote: > >> Please prove that ssha passwords are not handled correctly or provide > >> information that allows to reproduce it. > > > > If you try slappasswd against the same password twice you'll notice > > that both hashes are differents: > > [root@server ~]# slappasswd > > New password: senha > > Re-enter new password: senha > > {SSHA}vKDSAsTVxou79jz9vuCRvEJW1Om+vPNj > > [root@server ~]# slappasswd > > New password: senha > > Re-enter new password: senha > > {SSHA}8i5aZqW3SZa/ybA9rfU5ntuHxNJqKWH1 > > "if same salt is used". You are not setting salt in your slappasswd calls. > Program generates new salt everytime you call it and hashes are different. > > <?php > // Test password script > > // hash from password string > $orig_hash = 'vKDSAsTVxou79jz9vuCRvEJW1Om+vPNj'; > // get salt from original hash > $salt = substr(base64_decode($orig_hash),20); > // create new hash > $new_hash = base64_encode(pack("H*",sha1('senha' . $salt)) . $salt); > // true or false > var_dump($orig_hash == $new_hash); > > ?> > > There is only one difference between slappasswd and change_ldappass > password generation. plugin does not pack salt into binary string. After > plugin sets new password, it still can authenticate with OpenLDAP server. > So it is not an issue for OpenLDAP authentication system. > > > > -- > Tomas > > -- *** Cleber P. de Souza |