Moving into the 2000's, lets stop using md5 password hashes. Change to

use SHA265 ($5$) with a 16 character random salt from /dev/urandom. Enabled for Utah MS for now, will push out to other clusters if no problems over the next week.

Moving into the 2000's, lets stop using md5 password hashes. Change to
use SHA265 ($5$) with a 16 character random salt from /dev/urandom. Enabled for Utah MS for now, will push out to other clusters if no problems over the next week.
05b1134b · Leigh B Stoller · ba7f63ee · 05b1134b · 05b1134b · 05b1134b
Commit 05b1134b authored Dec 02, 2015 by Leigh B Stoller
7 changed files
--- a/account/newuser.in
+++ b/account/newuser.in
 #!/usr/bin/perl -w
 #
-# Copyright (c) 2000-2014 University of Utah and the Flux Group.
+# Copyright (c) 2000-2015 University of Utah and the Flux Group.
 # 
 # {{{EMULAB-LICENSE
 # 
@@ -87,6 +87,7 @@ use libdb;
 use libtestbed;
 use User;
 use EmulabConstants();
+use emutil;

 # Protos
 sub fatal($);
@@ -360,7 +361,7 @@ else {
 	}
 	fatal("Checkpass failed with $?");
    }
-    $newuser_args{'usr_pswd'} = crypt($pswd, "\$1\$" . substr(time(), 0, 8));
+    $newuser_args{'usr_pswd'} = PassWordHash($pswd);    
 }

 #

--- a/db/User.pm.in
+++ b/db/User.pm.in
@@ -876,18 +876,17 @@ sub ModUserInfo($$$$)
 	#
 	# Compare. Must change it!
 	# 
-	if ($old_encoding eq $new_encoding) {
+	if (!$isadmin && $old_encoding eq $new_encoding) {
 	    $$usrerr_ref = "Error: " .
 		"New password same as old password";
 	    return undef;
 	}

 	#
-	# Do it again. This ensures we use the current algorithm, not whatever
-	# it was encoded with last time.
-	# XXX Perl crypt doesn't have this option!
-	# XXX $new_encoding  = crypt($argref->{"password1"});
-
+	# Do it again. This ensures we use the current algorithm with a
+	# new random salt, not whatever it was encoded with last time.
+	#
+	$new_encoding = PassWordHash($argref->{"password1"});
 	my $safe_encoding = escapeshellarg($new_encoding);

 	#

--- a/db/emutil.pm.in
+++ b/db/emutil.pm.in
@@ -718,11 +718,19 @@ sub BackTraceOnWarning($)
 sub PassWordHash($)
 {
    my ($password) = @_;
+    # Leave these here cause of SELFLOADER_DATA;
+    my $MAINSITE   = @TBMAINSITE@;
+    my $ELABINELAB = @ELABINELAB@;
+    my $salt;
+    require libtestbed;

-    my @salt_chars = ('a'..'z','A'..'Z','0'..'9');
-    my $salt = $salt_chars[rand(@salt_chars)] .
-	       $salt_chars[rand(@salt_chars)];
-    my $passhash = crypt($password, "\$1\$${salt}");
+    if ($MAINSITE || $ELABINELAB) {
+	$salt = "\$5\$" . substr(libtestbed::TBGenSecretKey(), 0, 16) . "\$";
+    }
+    else {
+	$salt = "\$1\$" . substr(libtestbed::TBGenSecretKey(), 0, 8) . "\$";
+    }
+    my $passhash = crypt($password, $salt);

    return $passhash;
 }

--- a/tbsetup/libtestbed.pm.in
+++ b/tbsetup/libtestbed.pm.in
@@ -457,7 +457,10 @@ sub TBGenSecretKey()
    my $key=`/bin/dd if=/dev/urandom count=128 bs=1 2> /dev/null | /sbin/md5`;
    return undef
 	if ($?);
-    chomp($key);
+    # Silly taint check for caller.
+    if ($key =~ /^(.*)$/) {
+	$key = $1;
+    }
    return $key;
 }


--- a/utils/firstuser.in
+++ b/utils/firstuser.in
 #!/usr/bin/perl -w
 #
-# Copyright (c) 2000-2012 University of Utah and the Flux Group.
+# Copyright (c) 2000-2012, 2015 University of Utah and the Flux Group.
 # 
 # {{{EMULAB-LICENSE
 # 
@@ -32,6 +32,7 @@ use lib '@prefix@/lib';
 use libdb;
 use libtestbed;
 use User;
+use emutil;

 my $tbadmin    = '@TBADMINGROUP@';
 my $ELABINELAB = @ELABINELAB@;
@@ -128,10 +129,7 @@ if (!defined($password)) {
    }
 }
 if (!defined($encpass)) {
-    my @salt_chars = ('a'..'z','A'..'Z','0'..'9');
-    my $salt = $salt_chars[rand(@salt_chars)] .
-	       $salt_chars[rand(@salt_chars)];
-    $encpass = crypt($password, "\$1\$${salt}");
+    $encpass = PassWordHash($password);
 }

 # Get uid for the user and a gid for the project

--- a/www/aptui/changepswd.php
+++ b/www/aptui/changepswd.php
@@ -213,7 +213,13 @@ if (count($errors)) {
    SPITFORM($password1, $password2, $errors);
    return;
 }
-$encoding = crypt("$password1");
+if ($TBMAINSITE || $ELABINELAB) {
+    $salt = "\$5\$" . substr(GENHASH(), 0, 16) . "\$";
+}
+else {
+    $salt = "\$1\$" . substr(GENHASH(), 0, 8) . "\$";
+}
+$encoding = crypt("$password1", $salt);
 $safe_encoding = escapeshellarg($encoding);

 #

--- a/www/chpasswd.php3
+++ b/www/chpasswd.php3
 <?php
 #
-# Copyright (c) 2000-2007, 2012 University of Utah and the Flux Group.
+# Copyright (c) 2000-2015 University of Utah and the Flux Group.
 # 
 # {{{EMULAB-LICENSE
 # 
@@ -212,7 +212,13 @@ setcookie($TBAUTHCOOKIE, "", time() - 1000000, "/", $TBAUTHDOMAIN, 0);
 # Okay to spit this now that the cookie has been sent (cleared).
 PAGEHEADER("Reset Your Password", $view);

-$encoding = crypt("$password1");
+if ($TBMAINSITE || $ELABINELAB) {
+    $salt = "\$5\$" . substr(GENHASH(), 0, 16) . "\$";
+}
+else {
+    $salt = "\$1\$" . substr(GENHASH(), 0, 8) . "\$";
+}
+$encoding = crypt("$password1", $salt);
 $safe_encoding = escapeshellarg($encoding);

 STARTBUSY("Resetting your password");