[Tickets #1223] NEW: hash generation change to smbldap driver

bugs at bugs.horde.org bugs at bugs.horde.org
Fri Jan 21 08:31:45 PST 2005


Ticket URL: http://bugs.horde.org/ticket/?id=1223
 Ticket     | 1223
 Created By | kglueck at viz.tamu.edu
 Summary    | hash generation change to smbldap driver
 Queue      | Passwd
 Version    | HEAD
 State      | New
 Priority   | 1. Low
 Type       | Enhancement
 Owners     | 

kglueck at viz.tamu.edu (2005-01-21 08:31) wrote:

I discovered quickly as I was looking at the php code that
the NT and Lan Manager hashes were being generated by an exec() call to a
program that took the password on the commandline and spit out the hashes
with a colon in between them.  This caused some trouble for me because
there was text being read in that was being passed to the external program
without escaping shell characters before being called.  This had the effect
of when a character, such as a single quote, was used in the password, the
attempt to change the password returned errors...I didn't try a backtick,
but I'm sure that could be a rather fun experiment for an enterprising
individual.  Rather than escape the text, I thought incorporating the
hashing function inside the horde code was better (and likely much more

So, I started to look to see what I could do about it. lo and behold there
was a pear module Crypt_CHAP that would generate the hashes for me.  So,
I installed it and changed a couple of lines of code in the
lib/Drivers/smbldap.php code segment.  then I realized that the
sambaPwdLastSet and sambaPwdMustChange attributes also weren't getting
set.  So I added that code.

Since I had to add a new pear module, I shamelessly stole the
accounts/test.php code and modified it to be the passwd/test.php to check
for the PEAR module Crypt_CHAP and its php prerequisites mhash and mcrypt.

Features that are modified/added by the attached patches are:
 - Crypt_CHAP replaces external mkntpwd program to generate LM and NT
 - added config attributes pw_set_attribute, pw_expire_attribute, and
   pw_expire_time to backends.php.dist
 - pw_set_attribute (sambaPwdLastSet) timestamp is updated when password
 - pw_expire_attribute (sambaPwdMustChange) timestamp is generated from
   current timestamp + pw_expire_time attribute * 86400
 - added test.php to test for additional modules needed

More information about the bugs mailing list