On Wed, Mar 19, 2003 at 11:26:18AM -0500, -----@coxnews.com wrote:
I have been working with OTRS here for a bit, and needed to modify the source some, and had an idea I thought I would pass along.
In Kernel/System/Auth/DB.pm, Kernel/System/User.pm, Kernel/System/CustomerUser/DB.pm and Modules/AdminSignature.pm the salt for the crypt() function is $User. My thought was to secure this some more by using a function like below to build a random salt for password encryption:
sub random_salt { my (@salt_set, $salt); @salt_set = ('a'..'z', 'A'..'Z', '0'..'9', '.', '/'); $alt = $salt_set[int(rand(64))] . $salt_set[int(rand(64))]; return $salt; }
Since the password checking routine, Auth(), already reads the username and password from the system_users table one could get the salt for password verification easily:
my $salt = $GetPw; $salt =~ s/^(..).*/$1/;
It sounds good to me (and it's compatible). Wiktor, what do you think?
Andrew
Martin -- Martin Edenhofer - <martin at edenhofer.de> - http://martin.edenhofer.de/ -- Noch 179 Tage bis zum Gäubodenvolksfest! ;-)