Change in the login mechanism

Now use passwords hashed & salted. Validate with PHP's password_verify() function Password hashes can be generated with : * mkpasswd --method=sha-512 * PHP's password_hash()
3 months ago · d746aa445e
parent 143af65357
commit d746aa445e
3 changed files with 77 additions and 75 deletions
--- a/conf/config.php
+++ b/conf/config.php
@ -8,36 +8,35 @@
 * $Id: config.php 273 2009-05-12 13:54:50Z tmartin $
 * vim: expandtab softtabstop=4 tabstop=4 shiftwidth=4 showtabline=2
 *
- * @author Gregory Colpart <reg@evolix.fr>
- * @author Thomas Martin <tmartin@evolix.fr>
- * @author Sebastien Palma <spalma@evolix.fr>
+ * @author  Gregory Colpart <reg@evolix.fr>
+ * @author  Thomas Martin <tmartin@evolix.fr>
+ * @author  Sebastien Palma <spalma@evolix.fr>
 * @version 1.0
 */


-// Email pour les notifications
 $oriconf['admin']['mail'] = 'admin@example.com';
 $oriconf['techmail'] = 'jdoe@example.com';
-$oriconf['debug'] = FALSE;
+$oriconf['debug'] = false;
 $oriconf['superadmin'] = array('superadmin');
 $oriconf['script_path'] = '/usr/share/scripts/evoadmin';
-$oriconf['cluster'] = FALSE;
+$oriconf['cluster'] = false;
 $oriconf['servers'] = array('servers');
 $oriconf['cache'] = '/home/evoadmin/www/cache.sqlite';
 $oriconf['known_host'] = '/home/evoadmin/www/known_host';
-$oriconf['ftpadmin'] = FALSE;
-$oriconf['bindadmin'] = FALSE;
-// Penser à rajouter également les versions de PHP disponibles dans /etc/evolinux/web-add.conf
+$oriconf['ftpadmin'] = false;
+$oriconf['bindadmin'] = false;
+// Warning: Don't forget to add available PHP versions into : /etc/evolinux/web-add.conf
 // $oriconf['php_versions'] = array();
-$oriconf['quota'] = FALSE;
-$oriconf['dbadmin'] = FALSE;
+$oriconf['quota'] = false;
+$oriconf['dbadmin'] = false;

 $oriconf['noreplication'] = array('srv00.example.com', 'srv01.example.com', 'srv02.example.com');
 $oriconf['postponedreplication'] = array('srv00.example.com', 'srv01.example.com', 'srv02.example.com');
 $oriconf['immediatereplication'] = array('srv00.example.com', 'srv01.example.com');
 $oriconf['postponedreplication_mode'] = array('1 fois/jour', '3 fois/jour', '1 fois/jour');

-// auth (sha256 hashs)
+// Generate password hashes : mkpasswd --method=sha-512 (cli) or with PHP's password_hash()
 $oriconf['logins'] = array();
-//$oriconf['logins']['foo'] = 'd5d3c723fb82cb0078f399888af78204234535ec2ef3da56710fdd51f90d2477';
-//$oriconf['logins']['bar'] = '7938c84d6e43d1659612a7ea7c1101ed02e52751bb64597a8c20ebaba8ba4303';
+//$oriconf['logins']['foo'] = '$6$X0jqa/ausLSBkj4m$dLMMcPGVxak.aDPo4V/GJLm2d8vU8/QA5LbGTuqXCdxSNYU0kRKBgDl16GAyp0GqXXZ5wwDEJKQ1npgFwiuV81';
+//$oriconf['logins']['bar'] = '$6$Q6233S6mlWAF6p.j$LtzwG02YucozwqjAgSpeldh24Mnz7lBuVSbOQYbKKh9FiUx3tMVl6kJZkmrNdPqeadFXKAYXrqn.gy8KposF5.';
--- a/inc/auth.php
+++ b/inc/auth.php
@ -1,44 +1,44 @@
 <?php
-
 /**
- * Authentification page 
- *
- * Copyright (c) 2009 Evolix - Tous droits reserves
+ * Authentification controler 
 *
- * vim: expandtab softtabstop=4 tabstop=4 shiftwidth=4 showtabline=2 
+ * Copyright (c) 2009-2022 Evolix - Tous droits reserves
 *
- * @author Gregory Colpart <reg@evolix.fr>
- * @author Thomas Martin <tmartin@evolix.fr>
- * @author Sebastien Palma <spalma@evolix.fr>
+ * @author  Evolix <info@evolix.fr>
+ * @author  Gregory Colpart <reg@evolix.fr>
+ * @author  Thomas Martin <tmartin@evolix.fr>
+ * @author  Sebastien Palma <spalma@evolix.fr>
+ * @author  and others.
 * @version 1.0
 */

-if ((empty($_GET['form']) || $_GET['form']!=1) && !empty($_POST)) {
-  $username=$_POST['login'];
-  $password=$_POST['passw'];
+if ($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST)) {
+    $input_username = $_POST['login'];
+    $input_password = $_POST['passw'];
+
+    if (isset($conf['logins'][$input_username]) && password_verify($input_password, $conf['logins'][$input_username]) ) {
+        $_SESSION['auth'] = true;
+        $_SESSION['user'] = $input_username;
+        $_SESSION['user_id'] = posix_getpwnam($input_username) ? posix_getpwnam($input_username)['uid'] : 65534;
+        unset($_SESSION['error']);

-  if (hash("sha256",$password) == $conf['logins'][$username]) {
-    $_SESSION['auth']=1;
-    $_SESSION['user']=$username;
-    $_SESSION['user_id'] = posix_getpwnam($username) ? posix_getpwnam($username)['uid'] : 65534;
-    $_SESSION['error']='';
-  } else {
-    $_SESSION['auth']=0;
-    $_SESSION['user']='';
-    $_SESSION['error']=1;
-  }
-  http_redirect('/'); 
+    } else {
+        $_SESSION['auth'] = false;
+        $_SESSION['user'] = '';
+        $_SESSION['error'] = true;
+    }
+
+    http_redirect('/'); 

 } else {

-if(!empty($_SESSION['error'])) {
-  $error=$_SESSION['error'];
-}
-  
-  include_once EVOADMIN_BASE . '../tpl/header.tpl.php';
-  include_once EVOADMIN_BASE . '../tpl/auth.tpl.php';
-  include_once EVOADMIN_BASE . '../tpl/footer.tpl.php';
+    if (!empty($_SESSION['error'])) {
+        $error = $_SESSION['error'];
+        unset($_SESSION['error']);
+    }
+    
+    include_once EVOADMIN_BASE . '../tpl/header.tpl.php';
+    include_once EVOADMIN_BASE . '../tpl/auth.tpl.php';
+    include_once EVOADMIN_BASE . '../tpl/footer.tpl.php';

 } 
-
-?>
--- a/tpl/auth.tpl.php
+++ b/tpl/auth.tpl.php
@ -1,43 +1,46 @@
 <?php
-
 /**
- * Authentification form
- *
- * Copyright (c) 2009 Evolix - Tous droits reserves
+ * Authentification page
 *
- * vim: expandtab softtabstop=4 tabstop=4 shiftwidth=4 showtabline=2
+ * Copyright (c) 2009-2022 Evolix - Tous droits reserves
 *
- * @author Gregory Colpart <reg@evolix.fr>
- * @author Thomas Martin <tmartin@evolix.fr>
- * @author Sebastien Palma <spalma@evolix.fr>
+ * @author  Evolix <info@evolix.fr>
+ * @author  Gregory Colpart <reg@evolix.fr>
+ * @author  Thomas Martin <tmartin@evolix.fr>
+ * @author  Sebastien Palma <spalma@evolix.fr>
+ * @author  and others.
 * @version 1.0
 */

 ?>

-<br/><br/>
+<h2>Evoadmin : Connexion</h2>
+
 <form method="POST">
 <table align="center">
-  <tr>
-    <td align="right">Utilisateur : &nbsp;</td>
-    <td align="left"><input type="text" name="login" /></td>
-  </tr>
-  <tr>
-    <td align="right">Mot de passe : &nbsp;</td>
-    <td align="left"><input type="password" name="passw" /></td>
-  </tr>
-  <tr>
-    <td>&nbsp;</td>
-    <td align="left"><br/><input type="submit" value="Connexion" /></td>
-  </tr>
-  <?php
-  if (!empty($error)) {
-  ?>
-  <tr>
-    <td colspan="2" class="auth-error">Identifiants invalides. Veuillez ré-essayer</td>
-  </tr>
-  <?php
-  }
-  ?>
+    <tr>
+        <td align="right">Utilisateur : &nbsp;</td>
+        <td align="left"><input type="text" name="login" /></td>
+    </tr>
+    <tr>
+        <td align="right">Mot de passe : &nbsp;</td>
+        <td align="left"><input type="password" name="passw" /></td>
+    </tr>
+    <tr>
+        <td>&nbsp;</td>
+        <td align="left"><br/><input type="submit" value="Connexion" /></td>
+    </tr>
+    <?php
+    if (!empty($error)) {
+        ?>
+    <tr>
+        <td colspan="2" class="auth-error">
+            Identifiants invalides. 
+            Veuillez ré-essayer
+        </td>
+    </tr>
+        <?php
+    }
+    ?>
 </table>
 </form>