Commit 05b1134b authored by Leigh B Stoller's avatar Leigh B Stoller

Moving into the 2000's, lets stop using md5 password hashes. Change to

use SHA265 ($5$) with a 16 character random salt from /dev/urandom.
Enabled for Utah MS for now, will push out to other clusters if no
problems over the next week.
parent ba7f63ee
#!/usr/bin/perl -w #!/usr/bin/perl -w
# #
# Copyright (c) 2000-2014 University of Utah and the Flux Group. # Copyright (c) 2000-2015 University of Utah and the Flux Group.
# #
# {{{EMULAB-LICENSE # {{{EMULAB-LICENSE
# #
...@@ -87,6 +87,7 @@ use libdb; ...@@ -87,6 +87,7 @@ use libdb;
use libtestbed; use libtestbed;
use User; use User;
use EmulabConstants(); use EmulabConstants();
use emutil;
# Protos # Protos
sub fatal($); sub fatal($);
...@@ -360,7 +361,7 @@ else { ...@@ -360,7 +361,7 @@ else {
} }
fatal("Checkpass failed with $?"); fatal("Checkpass failed with $?");
} }
$newuser_args{'usr_pswd'} = crypt($pswd, "\$1\$" . substr(time(), 0, 8)); $newuser_args{'usr_pswd'} = PassWordHash($pswd);
} }
# #
......
...@@ -876,18 +876,17 @@ sub ModUserInfo($$$$) ...@@ -876,18 +876,17 @@ sub ModUserInfo($$$$)
# #
# Compare. Must change it! # Compare. Must change it!
# #
if ($old_encoding eq $new_encoding) { if (!$isadmin && $old_encoding eq $new_encoding) {
$$usrerr_ref = "Error: " . $$usrerr_ref = "Error: " .
"New password same as old password"; "New password same as old password";
return undef; return undef;
} }
# #
# Do it again. This ensures we use the current algorithm, not whatever # Do it again. This ensures we use the current algorithm with a
# it was encoded with last time. # new random salt, not whatever it was encoded with last time.
# XXX Perl crypt doesn't have this option! #
# XXX $new_encoding = crypt($argref->{"password1"}); $new_encoding = PassWordHash($argref->{"password1"});
my $safe_encoding = escapeshellarg($new_encoding); my $safe_encoding = escapeshellarg($new_encoding);
# #
......
...@@ -718,11 +718,19 @@ sub BackTraceOnWarning($) ...@@ -718,11 +718,19 @@ sub BackTraceOnWarning($)
sub PassWordHash($) sub PassWordHash($)
{ {
my ($password) = @_; my ($password) = @_;
# Leave these here cause of SELFLOADER_DATA;
my @salt_chars = ('a'..'z','A'..'Z','0'..'9'); my $MAINSITE = @TBMAINSITE@;
my $salt = $salt_chars[rand(@salt_chars)] . my $ELABINELAB = @ELABINELAB@;
$salt_chars[rand(@salt_chars)]; my $salt;
my $passhash = crypt($password, "\$1\$${salt}"); require libtestbed;
if ($MAINSITE || $ELABINELAB) {
$salt = "\$5\$" . substr(libtestbed::TBGenSecretKey(), 0, 16) . "\$";
}
else {
$salt = "\$1\$" . substr(libtestbed::TBGenSecretKey(), 0, 8) . "\$";
}
my $passhash = crypt($password, $salt);
return $passhash; return $passhash;
} }
......
...@@ -457,7 +457,10 @@ sub TBGenSecretKey() ...@@ -457,7 +457,10 @@ sub TBGenSecretKey()
my $key=`/bin/dd if=/dev/urandom count=128 bs=1 2> /dev/null | /sbin/md5`; my $key=`/bin/dd if=/dev/urandom count=128 bs=1 2> /dev/null | /sbin/md5`;
return undef return undef
if ($?); if ($?);
chomp($key); # Silly taint check for caller.
if ($key =~ /^(.*)$/) {
$key = $1;
}
return $key; return $key;
} }
......
#!/usr/bin/perl -w #!/usr/bin/perl -w
# #
# Copyright (c) 2000-2012 University of Utah and the Flux Group. # Copyright (c) 2000-2012, 2015 University of Utah and the Flux Group.
# #
# {{{EMULAB-LICENSE # {{{EMULAB-LICENSE
# #
...@@ -32,6 +32,7 @@ use lib '@prefix@/lib'; ...@@ -32,6 +32,7 @@ use lib '@prefix@/lib';
use libdb; use libdb;
use libtestbed; use libtestbed;
use User; use User;
use emutil;
my $tbadmin = '@TBADMINGROUP@'; my $tbadmin = '@TBADMINGROUP@';
my $ELABINELAB = @ELABINELAB@; my $ELABINELAB = @ELABINELAB@;
...@@ -128,10 +129,7 @@ if (!defined($password)) { ...@@ -128,10 +129,7 @@ if (!defined($password)) {
} }
} }
if (!defined($encpass)) { if (!defined($encpass)) {
my @salt_chars = ('a'..'z','A'..'Z','0'..'9'); $encpass = PassWordHash($password);
my $salt = $salt_chars[rand(@salt_chars)] .
$salt_chars[rand(@salt_chars)];
$encpass = crypt($password, "\$1\$${salt}");
} }
# Get uid for the user and a gid for the project # Get uid for the user and a gid for the project
......
...@@ -213,7 +213,13 @@ if (count($errors)) { ...@@ -213,7 +213,13 @@ if (count($errors)) {
SPITFORM($password1, $password2, $errors); SPITFORM($password1, $password2, $errors);
return; return;
} }
$encoding = crypt("$password1"); if ($TBMAINSITE || $ELABINELAB) {
$salt = "\$5\$" . substr(GENHASH(), 0, 16) . "\$";
}
else {
$salt = "\$1\$" . substr(GENHASH(), 0, 8) . "\$";
}
$encoding = crypt("$password1", $salt);
$safe_encoding = escapeshellarg($encoding); $safe_encoding = escapeshellarg($encoding);
# #
......
<?php <?php
# #
# Copyright (c) 2000-2007, 2012 University of Utah and the Flux Group. # Copyright (c) 2000-2015 University of Utah and the Flux Group.
# #
# {{{EMULAB-LICENSE # {{{EMULAB-LICENSE
# #
...@@ -212,7 +212,13 @@ setcookie($TBAUTHCOOKIE, "", time() - 1000000, "/", $TBAUTHDOMAIN, 0); ...@@ -212,7 +212,13 @@ setcookie($TBAUTHCOOKIE, "", time() - 1000000, "/", $TBAUTHDOMAIN, 0);
# Okay to spit this now that the cookie has been sent (cleared). # Okay to spit this now that the cookie has been sent (cleared).
PAGEHEADER("Reset Your Password", $view); PAGEHEADER("Reset Your Password", $view);
$encoding = crypt("$password1"); if ($TBMAINSITE || $ELABINELAB) {
$salt = "\$5\$" . substr(GENHASH(), 0, 16) . "\$";
}
else {
$salt = "\$1\$" . substr(GENHASH(), 0, 8) . "\$";
}
$encoding = crypt("$password1", $salt);
$safe_encoding = escapeshellarg($encoding); $safe_encoding = escapeshellarg($encoding);
STARTBUSY("Resetting your password"); STARTBUSY("Resetting your password");
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment