Commit 05b1134b authored by Leigh Stoller's avatar Leigh Stoller

Moving into the 2000's, lets stop using md5 password hashes. Change to

use SHA265 ($5$) with a 16 character random salt from /dev/urandom.
Enabled for Utah MS for now, will push out to other clusters if no
problems over the next week.
parent ba7f63ee
#!/usr/bin/perl -w
#
# Copyright (c) 2000-2014 University of Utah and the Flux Group.
# Copyright (c) 2000-2015 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -87,6 +87,7 @@ use libdb;
use libtestbed;
use User;
use EmulabConstants();
use emutil;
# Protos
sub fatal($);
......@@ -360,7 +361,7 @@ else {
}
fatal("Checkpass failed with $?");
}
$newuser_args{'usr_pswd'} = crypt($pswd, "\$1\$" . substr(time(), 0, 8));
$newuser_args{'usr_pswd'} = PassWordHash($pswd);
}
#
......
......@@ -876,18 +876,17 @@ sub ModUserInfo($$$$)
#
# Compare. Must change it!
#
if ($old_encoding eq $new_encoding) {
if (!$isadmin && $old_encoding eq $new_encoding) {
$$usrerr_ref = "Error: " .
"New password same as old password";
return undef;
}
#
# Do it again. This ensures we use the current algorithm, not whatever
# it was encoded with last time.
# XXX Perl crypt doesn't have this option!
# XXX $new_encoding = crypt($argref->{"password1"});
# Do it again. This ensures we use the current algorithm with a
# new random salt, not whatever it was encoded with last time.
#
$new_encoding = PassWordHash($argref->{"password1"});
my $safe_encoding = escapeshellarg($new_encoding);
#
......
......@@ -718,11 +718,19 @@ sub BackTraceOnWarning($)
sub PassWordHash($)
{
my ($password) = @_;
my @salt_chars = ('a'..'z','A'..'Z','0'..'9');
my $salt = $salt_chars[rand(@salt_chars)] .
$salt_chars[rand(@salt_chars)];
my $passhash = crypt($password, "\$1\$${salt}");
# Leave these here cause of SELFLOADER_DATA;
my $MAINSITE = @TBMAINSITE@;
my $ELABINELAB = @ELABINELAB@;
my $salt;
require libtestbed;
if ($MAINSITE || $ELABINELAB) {
$salt = "\$5\$" . substr(libtestbed::TBGenSecretKey(), 0, 16) . "\$";
}
else {
$salt = "\$1\$" . substr(libtestbed::TBGenSecretKey(), 0, 8) . "\$";
}
my $passhash = crypt($password, $salt);
return $passhash;
}
......
......@@ -457,7 +457,10 @@ sub TBGenSecretKey()
my $key=`/bin/dd if=/dev/urandom count=128 bs=1 2> /dev/null | /sbin/md5`;
return undef
if ($?);
chomp($key);
# Silly taint check for caller.
if ($key =~ /^(.*)$/) {
$key = $1;
}
return $key;
}
......
#!/usr/bin/perl -w
#
# Copyright (c) 2000-2012 University of Utah and the Flux Group.
# Copyright (c) 2000-2012, 2015 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -32,6 +32,7 @@ use lib '@prefix@/lib';
use libdb;
use libtestbed;
use User;
use emutil;
my $tbadmin = '@TBADMINGROUP@';
my $ELABINELAB = @ELABINELAB@;
......@@ -128,10 +129,7 @@ if (!defined($password)) {
}
}
if (!defined($encpass)) {
my @salt_chars = ('a'..'z','A'..'Z','0'..'9');
my $salt = $salt_chars[rand(@salt_chars)] .
$salt_chars[rand(@salt_chars)];
$encpass = crypt($password, "\$1\$${salt}");
$encpass = PassWordHash($password);
}
# Get uid for the user and a gid for the project
......
......@@ -213,7 +213,13 @@ if (count($errors)) {
SPITFORM($password1, $password2, $errors);
return;
}
$encoding = crypt("$password1");
if ($TBMAINSITE || $ELABINELAB) {
$salt = "\$5\$" . substr(GENHASH(), 0, 16) . "\$";
}
else {
$salt = "\$1\$" . substr(GENHASH(), 0, 8) . "\$";
}
$encoding = crypt("$password1", $salt);
$safe_encoding = escapeshellarg($encoding);
#
......
<?php
#
# Copyright (c) 2000-2007, 2012 University of Utah and the Flux Group.
# Copyright (c) 2000-2015 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -212,7 +212,13 @@ setcookie($TBAUTHCOOKIE, "", time() - 1000000, "/", $TBAUTHDOMAIN, 0);
# Okay to spit this now that the cookie has been sent (cleared).
PAGEHEADER("Reset Your Password", $view);
$encoding = crypt("$password1");
if ($TBMAINSITE || $ELABINELAB) {
$salt = "\$5\$" . substr(GENHASH(), 0, 16) . "\$";
}
else {
$salt = "\$1\$" . substr(GENHASH(), 0, 8) . "\$";
}
$encoding = crypt("$password1", $salt);
$safe_encoding = escapeshellarg($encoding);
STARTBUSY("Resetting your password");
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment