Vanilla password security

squirrel

Yeah, that would work. I'm not crazy about Authenticator creating its own UserManager object. Now there's an extra copy of UserManager that just hangs around all the time. I guess it doesn't matter because UM doesn't have any internal state but it feels clunky. I just can't think of any better way that doesn't change the signature of Authenticate(). It looks like this would do the job.

Dinoboff

checking and creating the hash is the responsibility of the Authenticator (of Authenticator::PasswordHash). UserManager::HashPassword() and UserManager::CheckPassword() are just used if Authenticator hasn't been updated. And I also removed Authenticator::UserManager like you suggested: http://dl-client.getdropbox.com/u/83967/new-hash-no-trouble.diff

elm

Is there a way to keep the md5-Hashes and still use md5? Because I set up a linuxserver on witch the user can authenticate against the vanilla-database and as far as I can see non of the 3 new password hash functions is available on linux especially on pam-mysql (http://pam-mysql.sourceforge.net/) witch cannot handle salts.

Dinoboff

Try that: http://dl-client.getdropbox.com/u/83967/Md5authenticator-0.1.1.zip Read the readme.txt for instruction if you have any trouble with installing/un-installing it

Dinoboff

Here are the details:
// extensions/Md5authenticator/default.php <?php /* Extension Name: Md5Authenticator Extension Url: http://lussumo.com/community/?CommentID=90404 Description: Replace Vanilla Authenticator to only use md5 hash Version: 0.1.1 Author: Damien Lebrun Author Url: N/A */ global $Context; // Check for Vanilla 1.1.5 and that we didn't already installed our authenticator if (array_key_exists('AUTHENTICATION_CLASS', $Context->Configuration) && $Context->Configuration['AUTHENTICATION_MODULE'] !== 'Md5Autehnticator' ) { AddConfigurationSetting($Context, 'AUTHENTICATION_MODULE', '../extensions/Md5authenticator/Authenticator.php'); AddConfigurationSetting($Context, 'AUTHENTICATION_CLASS', 'Md5Authenticator'); } // extensions/Md5authenticator/Authenticator.php <?php if (!defined('IN_VANILLA')) exit(); global $Configuration; include_once $Configuration['LIBRARY_PATH'] . '/People/People.Class.Authenticator.php'; class Md5Authenticator extends Authenticator { function Md5Authenticator(&$Context) { $this->Context = &$Context; $this->PasswordHash = new Md5Hash($Context); } } class Md5Hash { var $Context; function CheckPassword($User, $Password, $RegenerateHash=1) { if ($Password && $User->Password !== '*') { if (md5($Password) === $User->Password) { return true; } else if ($Password === $User->Password ) { if ($RegenerateHash) { $this->SetNewPassword($User, $Password); } return true; } } return false; } function HashPassword($Password) { return md5($Password); } function Md5Hash(&$Context) { $this->Context =& $Context; } function SetNewPassword($User, $Password) { $UserManager = $this->Context->ObjectFactory->NewContextObject( $this->Context, 'UserManager'); $User->Password = $this->HashPassword($Password); return $UserManager->SaveUserCredentials($User); } }

elm

And what if 1.1.5 is already installed? I just enabled the extension but it does not seem to work. The passwords are still converted to the new format. //EDIT the code u posted here is not the code in the archive. i'll give the code you posted a try //EDIT Ok It works now. Thank you.

Dinoboff

Sorry, I mixed the version I wrote and the one I debugged. I updated the post. Her is the archive: http://dl-client.getdropbox.com/u/83967/Md5authenticator-0.1.1.zip If you already upgraded to 1.1.5 I need to do a little change to support this case...

Dinoboff

Here is a version that will work if you have already upgraded to 1.1.5: http://dl-client.getdropbox.com/u/83967/Md5authenticator-0.1.2.zip

elm

Very nice. Thank you.