Change in the login mechanism

Now use passwords hashed & salted. Validate with PHP's password_verify() function

Password hashes can be generated with :
* mkpasswd --method=sha-512
* PHP's password_hash()
This commit is contained in:
Ludovic Poujol 2022-07-05 11:25:37 +02:00
parent 143af65357
commit d746aa445e
3 changed files with 77 additions and 75 deletions

View File

@ -8,36 +8,35 @@
* $Id: config.php 273 2009-05-12 13:54:50Z tmartin $
* vim: expandtab softtabstop=4 tabstop=4 shiftwidth=4 showtabline=2
*
* @author Gregory Colpart <reg@evolix.fr>
* @author Thomas Martin <tmartin@evolix.fr>
* @author Sebastien Palma <spalma@evolix.fr>
* @author Gregory Colpart <reg@evolix.fr>
* @author Thomas Martin <tmartin@evolix.fr>
* @author Sebastien Palma <spalma@evolix.fr>
* @version 1.0
*/
// Email pour les notifications
$oriconf['admin']['mail'] = 'admin@example.com';
$oriconf['techmail'] = 'jdoe@example.com';
$oriconf['debug'] = FALSE;
$oriconf['debug'] = false;
$oriconf['superadmin'] = array('superadmin');
$oriconf['script_path'] = '/usr/share/scripts/evoadmin';
$oriconf['cluster'] = FALSE;
$oriconf['cluster'] = false;
$oriconf['servers'] = array('servers');
$oriconf['cache'] = '/home/evoadmin/www/cache.sqlite';
$oriconf['known_host'] = '/home/evoadmin/www/known_host';
$oriconf['ftpadmin'] = FALSE;
$oriconf['bindadmin'] = FALSE;
// Penser à rajouter également les versions de PHP disponibles dans /etc/evolinux/web-add.conf
$oriconf['ftpadmin'] = false;
$oriconf['bindadmin'] = false;
// Warning: Don't forget to add available PHP versions into : /etc/evolinux/web-add.conf
// $oriconf['php_versions'] = array();
$oriconf['quota'] = FALSE;
$oriconf['dbadmin'] = FALSE;
$oriconf['quota'] = false;
$oriconf['dbadmin'] = false;
$oriconf['noreplication'] = array('srv00.example.com', 'srv01.example.com', 'srv02.example.com');
$oriconf['postponedreplication'] = array('srv00.example.com', 'srv01.example.com', 'srv02.example.com');
$oriconf['immediatereplication'] = array('srv00.example.com', 'srv01.example.com');
$oriconf['postponedreplication_mode'] = array('1 fois/jour', '3 fois/jour', '1 fois/jour');
// auth (sha256 hashs)
// Generate password hashes : mkpasswd --method=sha-512 (cli) or with PHP's password_hash()
$oriconf['logins'] = array();
//$oriconf['logins']['foo'] = 'd5d3c723fb82cb0078f399888af78204234535ec2ef3da56710fdd51f90d2477';
//$oriconf['logins']['bar'] = '7938c84d6e43d1659612a7ea7c1101ed02e52751bb64597a8c20ebaba8ba4303';
//$oriconf['logins']['foo'] = '$6$X0jqa/ausLSBkj4m$dLMMcPGVxak.aDPo4V/GJLm2d8vU8/QA5LbGTuqXCdxSNYU0kRKBgDl16GAyp0GqXXZ5wwDEJKQ1npgFwiuV81';
//$oriconf['logins']['bar'] = '$6$Q6233S6mlWAF6p.j$LtzwG02YucozwqjAgSpeldh24Mnz7lBuVSbOQYbKKh9FiUx3tMVl6kJZkmrNdPqeadFXKAYXrqn.gy8KposF5.';

View File

@ -1,44 +1,44 @@
<?php
/**
* Authentification page
* Authentification controler
*
* Copyright (c) 2009 Evolix - Tous droits reserves
* Copyright (c) 2009-2022 Evolix - Tous droits reserves
*
* vim: expandtab softtabstop=4 tabstop=4 shiftwidth=4 showtabline=2
*
* @author Gregory Colpart <reg@evolix.fr>
* @author Thomas Martin <tmartin@evolix.fr>
* @author Sebastien Palma <spalma@evolix.fr>
* @author Evolix <info@evolix.fr>
* @author Gregory Colpart <reg@evolix.fr>
* @author Thomas Martin <tmartin@evolix.fr>
* @author Sebastien Palma <spalma@evolix.fr>
* @author and others.
* @version 1.0
*/
if ((empty($_GET['form']) || $_GET['form']!=1) && !empty($_POST)) {
$username=$_POST['login'];
$password=$_POST['passw'];
if ($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST)) {
$input_username = $_POST['login'];
$input_password = $_POST['passw'];
if (hash("sha256",$password) == $conf['logins'][$username]) {
$_SESSION['auth']=1;
$_SESSION['user']=$username;
$_SESSION['user_id'] = posix_getpwnam($username) ? posix_getpwnam($username)['uid'] : 65534;
$_SESSION['error']='';
} else {
$_SESSION['auth']=0;
$_SESSION['user']='';
$_SESSION['error']=1;
}
http_redirect('/');
if (isset($conf['logins'][$input_username]) && password_verify($input_password, $conf['logins'][$input_username]) ) {
$_SESSION['auth'] = true;
$_SESSION['user'] = $input_username;
$_SESSION['user_id'] = posix_getpwnam($input_username) ? posix_getpwnam($input_username)['uid'] : 65534;
unset($_SESSION['error']);
} else {
$_SESSION['auth'] = false;
$_SESSION['user'] = '';
$_SESSION['error'] = true;
}
http_redirect('/');
} else {
if(!empty($_SESSION['error'])) {
$error=$_SESSION['error'];
}
include_once EVOADMIN_BASE . '../tpl/header.tpl.php';
include_once EVOADMIN_BASE . '../tpl/auth.tpl.php';
include_once EVOADMIN_BASE . '../tpl/footer.tpl.php';
if (!empty($_SESSION['error'])) {
$error = $_SESSION['error'];
unset($_SESSION['error']);
}
include_once EVOADMIN_BASE . '../tpl/header.tpl.php';
include_once EVOADMIN_BASE . '../tpl/auth.tpl.php';
include_once EVOADMIN_BASE . '../tpl/footer.tpl.php';
}
?>

View File

@ -1,43 +1,46 @@
<?php
/**
* Authentification form
* Authentification page
*
* Copyright (c) 2009 Evolix - Tous droits reserves
* Copyright (c) 2009-2022 Evolix - Tous droits reserves
*
* vim: expandtab softtabstop=4 tabstop=4 shiftwidth=4 showtabline=2
*
* @author Gregory Colpart <reg@evolix.fr>
* @author Thomas Martin <tmartin@evolix.fr>
* @author Sebastien Palma <spalma@evolix.fr>
* @author Evolix <info@evolix.fr>
* @author Gregory Colpart <reg@evolix.fr>
* @author Thomas Martin <tmartin@evolix.fr>
* @author Sebastien Palma <spalma@evolix.fr>
* @author and others.
* @version 1.0
*/
?>
<br/><br/>
<h2>Evoadmin : Connexion</h2>
<form method="POST">
<table align="center">
<tr>
<td align="right">Utilisateur : &nbsp;</td>
<td align="left"><input type="text" name="login" /></td>
</tr>
<tr>
<td align="right">Mot de passe : &nbsp;</td>
<td align="left"><input type="password" name="passw" /></td>
</tr>
<tr>
<td>&nbsp;</td>
<td align="left"><br/><input type="submit" value="Connexion" /></td>
</tr>
<?php
if (!empty($error)) {
?>
<tr>
<td colspan="2" class="auth-error">Identifiants invalides. Veuillez -essayer</td>
</tr>
<?php
}
?>
<tr>
<td align="right">Utilisateur : &nbsp;</td>
<td align="left"><input type="text" name="login" /></td>
</tr>
<tr>
<td align="right">Mot de passe : &nbsp;</td>
<td align="left"><input type="password" name="passw" /></td>
</tr>
<tr>
<td>&nbsp;</td>
<td align="left"><br/><input type="submit" value="Connexion" /></td>
</tr>
<?php
if (!empty($error)) {
?>
<tr>
<td colspan="2" class="auth-error">
Identifiants invalides.
Veuillez -essayer
</td>
</tr>
<?php
}
?>
</table>
</form>