Le samedi 1 mai 2010 20:57:22, Amos Jeffries a écrit :
> Luis Daniel Lucio Quiroz wrote:
> > Le vendredi 23 avril 2010 00:20:13, Amos Jeffries a écrit :
> >> Luis Daniel Lucio Quiroz wrote:
> >>> Le jeudi 22 avril 2010 20:09:57, Amos Jeffries a écrit :
> >>>> Luis Daniel Lucio Quiroz wrote:
> >>>>> Le jeudi 22 avril 2010 15:49:55, Luis Daniel Lucio Quiroz a écrit :
> >>>>>> HI all
> >>>>>>
> >>>>>> As a requirement of one client, he wants to use joomla user database
> >>>>>> to let squid authenticate.
> >>>>>>
> >>>>>> I did patch squid_db_auth that Henrik has written in order to
> >>>>>> support joomla hash conditions.
> >>>>>>
> >>>>>> I did add one usefull option to script
> >>>>>>
> >>>>>> --joomla
> >>>>>>
> >>>>>> in order to activate joomla hashing. Other options are identical.
> >>>>>> Please test :)
> >>>>>>
> >>>>>> Ammos, I'd like if you can include this in 3.1.2
> >>>>
> >>>> Mumble.
> >>>>
> >>>> How do other users feel about it? Useful enough to cross the security
> >>>> bugs and regressions only freeze?
> >>>>
> >>>>>> LD
> >>>>>
> >>>>> I have a typo in
> >>>>> my salt
> >>>>>
> >>>>> should be
> >>>>> my $salt
> >>>>>
> >>>>> sorry
> >>>>
> >>>> Can you make the option --md5 instead please?
> >>>>
> >>>> Possibilities are not limited to Joomla and they may change someday.
> >>>>
> >>>> The option needs to be added to the documentation sections of the
> >>>> helper as well.
> >>>>
> >>>> Amos
> >>>
> >>> I dont get you about "cross the security",
> >>
> >> 3.1 is under feature freeze. Anything not a security fix or regression
> >> needs to have some good reasons to be committed.
> >>
> >> I'm trying to stick to the freeze a little more with 3.1 than with 3.0,
> >> to get back into the habit of it. Particularly since we look like having
> >> a good foothold on the track for 12-month releases now.
> >>
> >>> what i did is that --joomla flag do diferent sql request and because
> >>> joomla hass is like this:
> >>> hash:salt
> >>> i did split and compare. by default joomla uses md5 (i'm not a joomla
> >>> master, i dont know when joomla uses other hashings)
> >>
> >> I intend to use this auth helper myself for other systems, and there are
> >> others who ask about a DB helper occasionally.
> >>
> >>
> >> Taking a better look at your changes ...
> >>
> >> The first one: db_conf = "block = 0" seems to be useless. All it does
> >> is hard-code a different default value for the --cond option.
> >>
> >> For Joomla the squid.conf should instead contain:
> >> --cond " block=0 "
> >>
> >> Which leaves the salted/non-salted hash change.
> >>
> >> Adding this:
> >> --salt-delimiter D
> >>
> >> To configure character(s) between the hash and salt values. Will not to
> >> lock people into the specific Joomla syntax of colon. There are
> >> examples and tutorials out there for app design that use other
> >> delimiters.
> >>
> >> Doing both of those changes Joomla would be configured with:
> >> ... --cond " block=0 " --salt-delimiter ":"
> >>>
> >>> if you want, latter i may add also --md5 to store md5 password, and
> >>> --digest- auth to support diggest authentication :) but later jejeje
> >>
> >> Amos
> >
> > HI
> > i've just update my patch to fit 3.1.2
> >
> >
> > I hope this could be included since it is based on todays snapshot.
> >
> > Regards,
> >
> > LD
>
> Thank you.
>
> You still have the --joomla flag. I thought you agreed to call it
> something like the --salt and take the delim character ?
>
> Amos
Amos + team,
i was adding salt support and i realize of this line
return 1 if crypt($password, $key) eq $key;
as far as i know this is impossible, because crypt using a salt wont be eq
to that key,
because there are many scenarios i did let this line in my patch and add
another to use static salt
I also add a --sql option to let user specify complex querys. As i was
needint it to work with an INNER JOIN.
I hope you can review it.
LD
--- helpers/basic_auth/DB/squid_db_auth.in.orig 2010-05-03 18:36:22.000000000 +0200
+++ helpers/basic_auth/DB/squid_db_auth.in 2010-05-07 22:54:50.000000000 +0200
@@ -1,8 +1,9 @@
#...@perl@
-use strict;
+#use strict;
use DBI;
use Getopt::Long;
use Pod::Usage;
+use Digest::MD5 qw(md5 md5_hex md5_base64);
$|=1;
=pod
@@ -22,6 +23,10 @@
my $db_cond = "enabled = 1";
my $plaintext = 0;
my $persist = 0;
+my $isjoomla = 0;
+my $debug = 0;
+my $hashsalt = undef;
+my $sql = undef;
=pod
@@ -62,15 +67,30 @@
=item B<--cond>
Condition, defaults to enabled=1. Specify 1 or "" for no condition
+If you use --joomla flag, this condition will be changed to block=0
=item B<--plaintext>
Database contains plain-text passwords
+=item B<--salt>
+
+Selects the correct salt to evaluate passwords
+
=item B<--persist>
Keep a persistent database connection open between queries.
+=item B<--joomla>
+
+Tells helper that user database is joomla db. So salt hasing is
+understood.
+
+=item B<--sql>
+
+Tells the helper that this query will be used. Remember to use ?
+(question mark) in a sentence search username like: "WHERE user = ?"
+
=back
=cut
@@ -85,9 +105,14 @@
'cond=s' => \$db_cond,
'plaintext' => \$plaintext,
'persist' => \$persist,
+ 'joomla' => \$isjoomla,
+ 'debug' => \$debug,
+ 'salt=s' => \$hashsalt,
+ 'sql=s' => \$sql,
);
my ($_dbh, $_sth);
+$db_cond = "block = 0" if $isjoomla;
sub close_db()
{
@@ -105,7 +130,16 @@
warn ("Could not connect to $dsn\n");
return undef;
}
- $_sth = $_dbh->prepare("SELECT $db_passwdcol FROM $db_table WHERE $db_usercol = ?" . ($db_cond ne "" ? " AND $db_cond" : "")) || die;
+ my $sql_query;
+
+ if (!defined $sql) {
+ $sql_query = "SELECT $db_passwdcol FROM $db_table WHERE $db_usercol = ?" . ($db_cond ne "" ? " AND $db_cond" : "");
+ }
+ else{
+ $sql_query = $sql;
+ }
+
+ $_sth = $_dbh->prepare($sql_query) || die;
return $_sth;
}
@@ -113,9 +147,19 @@
{
my ($password, $key) = @_;
- return 1 if crypt($password, $key) eq $key;
-
- return 1 if $plaintext && $password eq $key;
+ if ($isjoomla){
+ my $salt;
+ my $key2;
+ ($key2,$salt) = split (/$salt/, $key);
+ return 1 if md5_hex($password.$salt).':'.$salt eq $key;
+ }
+ else{
+
+ return 1 if defined $hashsalt && crypt($password, $hashsalt) eq $key;
+ return 1 if crypt($password, $key) eq $key;
+
+ return 1 if $plaintext && $password eq $key;
+ }
return 0;
}
@@ -155,6 +199,7 @@
=head1 COPYRIGHT
Copyright (C) 2007 Henrik Nordstrom <[email protected]>
+Copyright (C) 2010 Luis Daniel Lucio Quiroz <[email protected]> (Joomla support)
This program is free software. You may redistribute copies of it under the
terms of the GNU General Public License version 2, or (at youropinion) any
later version.
