From 9219378b588ce968702be2a7e153aa984504b6aa Mon Sep 17 00:00:00 2001 From: daniel Date: Thu, 14 Jan 2016 22:10:35 -0500 Subject: switched to bcrypt as per #4120 added bcrypt auth as per #4120 --- src/etc/inc/auth.inc | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) mode change 100644 => 100755 src/etc/inc/auth.inc (limited to 'src') diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc old mode 100644 new mode 100755 index fffe84f..6e6600c --- a/src/etc/inc/auth.inc +++ b/src/etc/inc/auth.inc @@ -360,6 +360,13 @@ function local_backed($username, $passwd) { return false; } + if ($user['bcrypt-hash']) { + if (password_verify($passwd, $user['bcrypt-hash'])) { + return true; + } + } + + //for backwards compatibility if ($user['password']) { if (crypt($passwd, $user['password']) == $user['password']) { return true; @@ -450,7 +457,7 @@ function local_sync_accounts() { function local_user_set(& $user) { global $g, $debug; - if (empty($user['password'])) { + if (empty($user['password']) && empty($user['bcrypt-hash'])) { log_error("There is something wrong in your config because user {$user['name']} password is missing!"); return; } @@ -498,7 +505,12 @@ function local_user_set(& $user) { log_error(sprintf(gettext("Running: %s"), $cmd)); } $fd = popen($cmd, "w"); - fwrite($fd, $user['password']); + if (empty($user['bcrypt-hash'])) { + fwrite($fd, $user['password']); + } + else { + fwrite($fd, $user['bcrypt-hash']); + } pclose($fd); $user_group = "wheel"; $user_home = "/root"; @@ -528,7 +540,12 @@ function local_user_set(& $user) { log_error(sprintf(gettext("Running: %s"), $cmd)); } $fd = popen($cmd, "w"); - fwrite($fd, $user['password']); + if (empty($user['bcrypt-hash'])) { + fwrite($fd, $user['password']); + } + else { + fwrite($fd, $user['bcrypt-hash']); + } pclose($fd); /* create user directory if required */ @@ -593,8 +610,9 @@ function local_user_del($user) { function local_user_set_password(&$user, $password) { - $user['password'] = crypt($password); - $user['md5-hash'] = md5($password); + $user['password'] = "REMOVED"; + $user['md5-hash'] = "REMOVED"; + $user['bcrypt-hash'] = password_hash($password,PASSWORD_BCRYPT); // Converts ascii to unicode. $astr = (string) $password; -- cgit v1.1 From 4b737f6efe0eb7574851cc5024af43faf8c57fe2 Mon Sep 17 00:00:00 2001 From: Daniel Vinakovsky Date: Sat, 16 Jan 2016 00:03:24 -0500 Subject: compatibility with freebsd --- src/etc/inc/auth.inc | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'src') diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc index 6e6600c..af252d8 100755 --- a/src/etc/inc/auth.inc +++ b/src/etc/inc/auth.inc @@ -614,6 +614,15 @@ function local_user_set_password(&$user, $password) { $user['md5-hash'] = "REMOVED"; $user['bcrypt-hash'] = password_hash($password,PASSWORD_BCRYPT); + // Maintain compatibility with FreeBSD + // https://reviews.freebsd.org/D2742 + // change $2y$ prefix to $2b$ + + if ($user['bcrypt-hash'][2] == "y") { + $user['bcrypt-hash'][2] = "b"; + } + + // Converts ascii to unicode. $astr = (string) $password; $ustr = ''; -- cgit v1.1 From 9a7911eb0fdccfc98fcec60010f379e3a4b34ced Mon Sep 17 00:00:00 2001 From: Daniel Vinakovsky Date: Mon, 18 Jan 2016 11:39:16 -0500 Subject: style fixes --- src/etc/inc/auth.inc | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc index af252d8..56bcbc4 100755 --- a/src/etc/inc/auth.inc +++ b/src/etc/inc/auth.inc @@ -507,8 +507,7 @@ function local_user_set(& $user) { $fd = popen($cmd, "w"); if (empty($user['bcrypt-hash'])) { fwrite($fd, $user['password']); - } - else { + } else { fwrite($fd, $user['bcrypt-hash']); } pclose($fd); @@ -542,8 +541,7 @@ function local_user_set(& $user) { $fd = popen($cmd, "w"); if (empty($user['bcrypt-hash'])) { fwrite($fd, $user['password']); - } - else { + } else { fwrite($fd, $user['bcrypt-hash']); } pclose($fd); -- cgit v1.1 From 33386b07762fd1aad1b069f3b84ef4e243db53f3 Mon Sep 17 00:00:00 2001 From: Daniel Vinakovsky Date: Mon, 18 Jan 2016 11:42:53 -0500 Subject: more style fixes. unset old fields --- src/etc/inc/auth.inc | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc index 56bcbc4..5b705a8 100755 --- a/src/etc/inc/auth.inc +++ b/src/etc/inc/auth.inc @@ -608,9 +608,9 @@ function local_user_del($user) { function local_user_set_password(&$user, $password) { - $user['password'] = "REMOVED"; - $user['md5-hash'] = "REMOVED"; - $user['bcrypt-hash'] = password_hash($password,PASSWORD_BCRYPT); + unset($user['password']); + unset($user['md5-hash']); + $user['bcrypt-hash'] = password_hash($password, PASSWORD_BCRYPT); // Maintain compatibility with FreeBSD // https://reviews.freebsd.org/D2742 @@ -620,7 +620,6 @@ function local_user_set_password(&$user, $password) { $user['bcrypt-hash'][2] = "b"; } - // Converts ascii to unicode. $astr = (string) $password; $ustr = ''; -- cgit v1.1 From 4d4e9a113c7f1d77e370bd06a93207a48af6f814 Mon Sep 17 00:00:00 2001 From: Daniel Vinakovsky Date: Mon, 18 Jan 2016 15:26:07 -0500 Subject: add note about r284483 --- src/etc/inc/auth.inc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc index 5b705a8..28dc9f2 100755 --- a/src/etc/inc/auth.inc +++ b/src/etc/inc/auth.inc @@ -612,10 +612,10 @@ function local_user_set_password(&$user, $password) { unset($user['md5-hash']); $user['bcrypt-hash'] = password_hash($password, PASSWORD_BCRYPT); - // Maintain compatibility with FreeBSD - // https://reviews.freebsd.org/D2742 - // change $2y$ prefix to $2b$ - + /* Maintain compatibility with FreeBSD - change $2y$ prefix to $2b$ + * https://reviews.freebsd.org/D2742 + * Can be removed as soon as r284483 is MFC'd. + */ if ($user['bcrypt-hash'][2] == "y") { $user['bcrypt-hash'][2] = "b"; } -- cgit v1.1 From 6fadbf9bd4a2fe2f8f33ec4e93025032ccf03f3f Mon Sep 17 00:00:00 2001 From: Dan Vinakovsky Date: Mon, 18 Jan 2016 21:58:15 -0500 Subject: Update auth.inc add XXX prefix. --- src/etc/inc/auth.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc index 28dc9f2..4899e4a 100755 --- a/src/etc/inc/auth.inc +++ b/src/etc/inc/auth.inc @@ -614,7 +614,7 @@ function local_user_set_password(&$user, $password) { /* Maintain compatibility with FreeBSD - change $2y$ prefix to $2b$ * https://reviews.freebsd.org/D2742 - * Can be removed as soon as r284483 is MFC'd. + * XXX: Can be removed as soon as r284483 is MFC'd. */ if ($user['bcrypt-hash'][2] == "y") { $user['bcrypt-hash'][2] = "b"; -- cgit v1.1