Greetings,
I have been working with OTRS here for a bit, and needed to modify the
source some, and had an idea I thought I would pass along.
In Kernel/System/Auth/DB.pm, Kernel/System/User.pm,
Kernel/System/CustomerUser/DB.pm and Modules/AdminSignature.pm the salt
for the crypt() function is $User. My thought was to secure this some
more by using a function like below to build a random salt for password
encryption:
sub random_salt
{
my (@salt_set, $salt);
@salt_set = ('a'..'z', 'A'..'Z', '0'..'9', '.', '/');
$alt = $salt_set[int(rand(64))] . $salt_set[int(rand(64))];
return $salt;
}
Since the password checking routine, Auth(), already reads the username
and password from the system_users table one could get the salt for
password verification easily:
my $salt = $GetPw;
$salt =~ s/^(..).*/$1/;
Just my $0.02.
Andrew
_______________________________________________
OTRS mailing list: dev - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/dev
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/dev
