[horde] [PATCH] for passwd to support shadow style password

Luc de Louw luc at delouw.ch
Sun Dec 8 14:07:48 PST 2002


Hi all,

I just made some changes to Hordes passwd/Drivers/sql.php to enable
usage of shadow encrypted passwords.

The change is actually, that first the encyrpted password is queried 
from the db to have the needed salt
http://www.stanford.edu/group/itss-ccs/security/unix/Linux/Shadow-Password-HOWTO-2.html 

is a source what I tought making this.

This makes sense if people had migrated from oldstyle unix-accounts to
a SQL based authentication using a virtual system. So no new passwords 
are needed
for the clients. Just a script needs to be done to import the passwords 
from /etc/shadow to
the database.

I'll do also the same for mysql-style encryption.

If there is a general interest, I'll also clean up the stuff a bit.

Hopefully I did not overseen somthing grave in terms of security, please 
have a look.

Feedback is welcome

rgds

Luc
-------------- next part --------------
diff -Naur passwd-2.1/lib/Driver/sql.php passwd/lib/Driver/sql.php
--- passwd-2.1/lib/Driver/sql.php	2002-10-09 10:51:02.000000000 -0700
+++ passwd/lib/Driver/sql.php	2002-12-07 19:26:40.000000000 -0800
@@ -129,10 +129,22 @@
         /* _connect() will die with Horde::fatal() upon failure. */
 //      $this->_connect();
 
+	/* First get the encrypted password out of the database to have the salt */
+
+	$query = 'SELECT ' . $this->params['pass_col'] . ' FROM ' . $this->params['table'];
+        $query .= ' WHERE ' . $this->params['user_col'] . ' = ' . $this->db->quote($user);
+
+	$result = $this->db->query($query);
+
+	if (!DB::isError($result)) {
+		$row=$result->fetchRow($result,0,$this->params['pass_col']);
+		$oldPassword = trim(crypt($oldPassword,$row[0]));
+	}
+
         /* Build the SQL query. */
         $query = 'SELECT ' . $this->params['user_col'] . ' FROM ' . $this->params['table'];
         $query .= ' WHERE ' . $this->params['user_col'] . ' = ' . $this->db->quote($user);
-        $query .= ' AND ' . $this->params['pass_col'] . ' = ' . $this->db->quote(md5($oldPassword));
+        $query .= ' AND ' . $this->params['pass_col'] . ' = ' . $this->db->quote($oldPassword);
 
         /* Execute the query. */
         $result = $this->db->query($query);
@@ -183,7 +195,8 @@
          break;
       case "crypt":
          // The salt is left out, generated by php
-         $change_info["userPassword"] = "{crypt}" . crypt($newPassword);
+         $change_info["userPassword"] = crypt($newPassword,substr($newPassword,0,2));
+	 $newPassword = crypt($newPassword,substr($newPassword,0,2));
          break;
       case "md5":
      $change_info["userPassword"] = md5($newPassword);
@@ -199,7 +212,7 @@
         // now that we know that user exist and old password is correct, change the password
         /* Build the SQL query. */
         $query = 'UPDATE ' . $this->params['table'];
-        $query .= ' set ' . $this->params['pass_col'] . ' = ' . $this->db->quote(md5($newPassword));
+        $query .= ' set ' . $this->params['pass_col'] . ' = ' . $this->db->quote($newPassword);
         $query .= ' WHERE ' . $this->params['user_col'] . ' = ' . $this->db->quote($user);
 
         /* Execute the query. */


More information about the horde mailing list