Greetings, I have been working with OTRS here for a bit, and needed to modify the source some, and had an idea I thought I would pass along. In Kernel/System/Auth/DB.pm, Kernel/System/User.pm, Kernel/System/CustomerUser/DB.pm and Modules/AdminSignature.pm the salt for the crypt() function is $User. My thought was to secure this some more by using a function like below to build a random salt for password encryption: sub random_salt { my (@salt_set, $salt); @salt_set = ('a'..'z', 'A'..'Z', '0'..'9', '.', '/'); $alt = $salt_set[int(rand(64))] . $salt_set[int(rand(64))]; return $salt; } Since the password checking routine, Auth(), already reads the username and password from the system_users table one could get the salt for password verification easily: my $salt = $GetPw; $salt =~ s/^(..).*/$1/; Just my $0.02. Andrew
On Wed, Mar 19, 2003 at 11:26:18AM -0500, -----@coxnews.com wrote:
I have been working with OTRS here for a bit, and needed to modify the source some, and had an idea I thought I would pass along.
In Kernel/System/Auth/DB.pm, Kernel/System/User.pm, Kernel/System/CustomerUser/DB.pm and Modules/AdminSignature.pm the salt for the crypt() function is $User. My thought was to secure this some more by using a function like below to build a random salt for password encryption:
sub random_salt { my (@salt_set, $salt); @salt_set = ('a'..'z', 'A'..'Z', '0'..'9', '.', '/'); $alt = $salt_set[int(rand(64))] . $salt_set[int(rand(64))]; return $salt; }
Since the password checking routine, Auth(), already reads the username and password from the system_users table one could get the salt for password verification easily:
my $salt = $GetPw; $salt =~ s/^(..).*/$1/;
It sounds good to me (and it's compatible). Wiktor, what do you think?
Andrew
Martin -- Martin Edenhofer - <martin at edenhofer.de> - http://martin.edenhofer.de/ -- Noch 179 Tage bis zum Gäubodenvolksfest! ;-)
Without having looked at what's happening with $salt: Why not additionally encode $salt with MD5? I don't know exactly how coding forms, but would assume this: $salt = MD5($salt); ;) Regards, Robert
sub random_salt { my (@salt_set, $salt); @salt_set = ('a'..'z', 'A'..'Z', '0'..'9', '.', '/'); $alt = $salt_set[int(rand(64))] . $salt_set[int(rand(64))]; return $salt; }
actually it might be quite interesting to be able to choose different encryption algorythms. I think about the LDAPauth module where I use the LDAP for different things. I think about working on the customer ldap module this or next week. Let's see On Thu, Mar 20, 2003 at 11:20:22AM +0100, Robert Kehl wrote:
Without having looked at what's happening with $salt: Why not additionally encode $salt with MD5? I don't know exactly how coding forms, but would assume this:
$salt = MD5($salt);
;)
Regards,
Robert
sub random_salt { my (@salt_set, $salt); @salt_set = ('a'..'z', 'A'..'Z', '0'..'9', '.', '/'); $alt = $salt_set[int(rand(64))] . $salt_set[int(rand(64))]; return $salt; }
_______________________________________________ OTRS mailing list: dev - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/dev To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/dev
-- Regards, Wiktor Wodecki
participants (4)
-
ahall@coxnews.com -
Martin Edenhofer -
Robert Kehl -
Wiktor Wodecki