[Tickets #1998] NEW: Ldap backend crypt-des instead of crypt encryption
bugs@bugs.horde.org
bugs at bugs.horde.org
Thu May 19 03:02:04 PDT 2005
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/?id=1998
-----------------------------------------------------------------------
Ticket | 1998
Created By | laurent.le-moine at ac-dijon.fr
Summary | Ldap backend crypt-des instead of crypt encryption
Queue | Passwd
Version | 2.2.2
State | Unconfirmed
Priority | 3. High
Type | Bug
Owners |
-----------------------------------------------------------------------
laurent.le-moine at ac-dijon.fr (2005-05-19 03:02) wrote:
Hello,
Please excuse my poor english, i will try to explain as precisely as
possible
Context : I am using debian/testing for our Academic webmail
it is based on Horde2, IMP3 ... and sork-passwd
Users are authentificated with IMAP and changes are applied in a LDAP
backend (Netscape-SUN / iplanet)
Events : Yesterday i decided to upgrade (lots of package including
sork-passwd)
Problem raised this morning : users passwd accepted to be changed but users
never can login again after passwd change
Problem cause: default encryption is now crypt-des and not crypt as before
(no break in case 'crypt' instruction in
/usr/share/horde2/passwd/lib/Driver.php) and passwd are no more readable in
this format
My solution: I have a look to the source php and find some differences with
the working version, I made a patch and it is working now. Using crypt-des
is a good thing but it should not the default behaviour when using the crypt
parameter. I would have like to decide to apply or not.
my working version is Driver.php and Driver.php.deb is the one from the
debs
webmail:/usr/share/horde2/passwd/lib# diff -U 7 Driver.php.deb Driver.php
--- Driver.php.deb 2005-05-19 10:59:32.000000000 +0200
+++ Driver.php 2005-05-19 11:09:49.000000000 +0200
@@ -99,14 +99,20 @@
}
break;
case 'md5-base64':
if ($encrypted == base64_encode(mHash(MHASH_MD5,
$plaintext))) { return true;
}
break;
case 'crypt':
+ $encrypted = substr($encrypted, 7);
+ $salt = substr($encrypted , 0, 2);
+ if ($encrypted == crypt($plaintext, $salt)) {
+ return true;
+ }
+ break;
case 'crypt-des':
$encrypted = preg_replace('|^{crypt}|', '', $encrypted);
$salt = substr($encrypted, 0, 2);
if ($encrypted == crypt($plaintext, $salt)) {
return true;
}
break;
@@ -166,14 +172,17 @@
switch ($this->_params['encryption']) {
case "plain":
break;
case "sha":
$newPassword = "{SHA}" . base64_encode(mHash(MHASH_SHA1,
$newPassword));
break;
case 'crypt':
+ // The salt is left out, generated by php
+ $newPassword = "{crypt}" . crypt($newPassword);
+ break;
case 'crypt-des':
$salt = substr(md5(mt_rand()), 0, 2);
$newPassword = crypt($newPassword, $salt);
break;
case 'crypt-md5':
$salt = '$1$' . substr(md5(mt_rand()), 0, 8) . '$';
$newPassword = crypt($newPassword, $salt);
Hope it will help,
Anyway, congratulation for your excellent job on this project,
Laurent Le Moine
laurent.le-moine at ac-dijon.fr
Rectorat de l'Académie de Dijon (France)
More information about the bugs
mailing list