--- loncom/lond 2016/01/31 21:25:53 1.517 +++ loncom/lond 2016/02/17 19:15:44 1.518 @@ -2,7 +2,7 @@ # The LearningOnline Network # lond "LON Daemon" Server (port "LOND" 5663) # -# $Id: lond,v 1.517 2016/01/31 21:25:53 raeburn Exp $ +# $Id: lond,v 1.518 2016/02/17 19:15:44 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -55,13 +55,16 @@ use LONCAPA::lonssl; use Fcntl qw(:flock); use Apache::lonnet; use Mail::Send; +use Crypt::Eksblowfish::Bcrypt; +use Digest::SHA; +use Encode; my $DEBUG = 0; # Non zero to enable debug log entries. my $status=''; my $lastlog=''; -my $VERSION='$Revision: 1.517 $'; #' stupid emacs +my $VERSION='$Revision: 1.518 $'; #' stupid emacs my $remoteVERSION; my $currenthostid="default"; my $currentdomainid; @@ -2013,15 +2016,14 @@ sub change_password_handler { my ($howpwd,$contentpwd)=split(/:/,$realpasswd); if ($howpwd eq 'internal') { &Debug("internal auth"); - my $salt=time; - $salt=substr($salt,6,2); - my $ncpass=crypt($npass,$salt); + my $ncpass = &hash_passwd($udom,$npass); if(&rewrite_password_file($udom, $uname, "internal:$ncpass")) { my $msg="Result of password change for $uname: pwchange_success"; if ($lonhost) { $msg .= " - request originated from: $lonhost"; } &logthis($msg); + &update_passwd_history($uname,$udom,$howpwd,$context); &Reply($client, "ok\n", $userinput); } else { &logthis("Unable to open $uname passwd " @@ -2030,6 +2032,9 @@ sub change_password_handler { } } elsif ($howpwd eq 'unix' && $context ne 'reset_by_email') { my $result = &change_unix_password($uname, $npass); + if ($result eq 'ok') { + &update_passwd_history($uname,$udom,$howpwd,$context); + } &logthis("Result of password change for $uname: ". $result); &Reply($client, \$result, $userinput); @@ -2052,6 +2057,42 @@ sub change_password_handler { } ®ister_handler("passwd", \&change_password_handler, 1, 1, 0); +sub hash_passwd { + my ($domain,$plainpass,@rest) = @_; + my ($salt,$cost); + if (@rest) { + $cost = $rest[0]; + # salt is first 22 characters, base-64 encoded by bcrypt + my $plainsalt = substr($rest[1],0,22); + $salt = Crypt::Eksblowfish::Bcrypt::de_base64($plainsalt); + } else { + my $defaultcost; + my %domconfig = + &Apache::lonnet::get_dom('configuration',['password'],$domain); + if (ref($domconfig{'password'}) eq 'HASH') { + $defaultcost = $domconfig{'password'}{'cost'}; + } + if (($defaultcost eq '') || ($defaultcost =~ /D/)) { + $cost = 10; + } else { + $cost = $defaultcost; + } + # Generate random 16-octet base64 salt + $salt = ""; + $salt .= pack("C", int rand(256)) for 1..16; + } + my $hash = &Crypt::Eksblowfish::Bcrypt::bcrypt_hash({ + key_nul => 1, + cost => $cost, + salt => $salt, + }, Digest::SHA::sha512(Encode::encode('UTF-8',$plainpass))); + + my $result = join("!", "", "bcrypt", sprintf("%02d",$cost), + &Crypt::Eksblowfish::Bcrypt::en_base64($salt). + &Crypt::Eksblowfish::Bcrypt::en_base64($hash)); + return $result; +} + # # Create a new user. User in this case means a lon-capa user. # The user must either already exist in some authentication realm @@ -2095,7 +2136,8 @@ sub add_user_handler { ."makeuser"; } unless ($fperror) { - my $result=&make_passwd_file($uname,$udom,$umode,$npass, $passfilename); + my $result=&make_passwd_file($uname,$udom,$umode,$npass, + $passfilename,'makeuser'); &Reply($client,\$result, $userinput); #BUGBUG - could be fail } else { &Failure($client, \$fperror, $userinput); @@ -2164,12 +2206,14 @@ sub change_authentication_handler { my $result = &change_unix_password($uname, $npass); &logthis("Result of password change for $uname: ".$result); if ($result eq "ok") { + &update_passwd_history($uname,$udom,$umode,'changeuserauth'); &Reply($client, \$result); } else { &Failure($client, \$result); } } else { - my $result=&make_passwd_file($uname,$udom,$umode,$npass,$passfilename); + my $result=&make_passwd_file($uname,$udom,$umode,$npass, + $passfilename,'changeuserauth'); # # If the current auth mode is internal, and the old auth mode was # unix, or krb*, and the user is an author for this domain, @@ -2190,6 +2234,17 @@ sub change_authentication_handler { } ®ister_handler("changeuserauth", \&change_authentication_handler, 1,1, 0); +sub update_passwd_history { + my ($uname,$udom,$umode,$context) = @_; + my $proname=&propath($udom,$uname); + my $now = time; + if (open(my $fh,">>$proname/passwd.log")) { + print $fh "$now:$umode:$context\n"; + close($fh); + } + return; +} + # # Determines if this is the home server for a user. The home server # for a user will have his/her lon-capa passwd file. Therefore all we need @@ -7147,7 +7202,18 @@ sub validate_user { } if ($howpwd ne 'nouser') { if($howpwd eq "internal") { # Encrypted is in local password file. - $validated = (crypt($password, $contentpwd) eq $contentpwd); + if (length($contentpwd) == 13) { + $validated = (crypt($password,$contentpwd) eq $contentpwd); + if ($validated) { + my $ncpass = &hash_passwd($domain,$password); + if (&rewrite_password_file($domain,$user,"$howpwd:$ncpass")) { + &update_passwd_history($user,$domain,$howpwd,'conversion'); + &logthis("Validated password hashed with bcrypt for $user:$domain"); + } + } + } else { + $validated = &check_internal_passwd($password,$contentpwd,$domain); + } } elsif ($howpwd eq "unix") { # User is a normal unix user. $contentpwd = (getpwnam($user))[1]; @@ -7215,6 +7281,39 @@ sub validate_user { return $validated; } +sub check_internal_passwd { + my ($plainpass,$stored,$domain) = @_; + my (undef,$method,@rest) = split(/!/,$stored); + if ($method eq "bcrypt") { + my $result = &hash_passwd($domain,$plainpass,@rest); + if ($result ne $stored) { + return 0; + } + # Upgrade to a larger number of rounds if necessary + my $defaultcost; + my %domconfig = + &Apache::lonnet::get_dom('configuration',['password'],$domain); + if (ref($domconfig{'password'}) eq 'HASH') { + $defaultcost = $domconfig{'password'}{'cost'}; + } + if (($defaultcost eq '') || ($defaultcost =~ /D/)) { + $defaultcost = 10; + } + return 1 unless($rest[0]<$defaultcost); + } + return 0; +} + +sub get_last_authchg { + my ($domain,$user) = @_; + my $lastmod; + my $logname = &propath($domain,$user).'/passwd.log'; + if (-e "$logname") { + $lastmod = (stat("$logname"))[9]; + } + return $lastmod; +} + sub krb4_authen { my ($password,$null,$user,$contentpwd) = @_; my $validated = 0; @@ -7530,26 +7629,26 @@ sub change_unix_password { sub make_passwd_file { - my ($uname,$udom,$umode,$npass,$passfilename)=@_; + my ($uname,$udom,$umode,$npass,$passfilename,$action)=@_; my $result="ok"; if ($umode eq 'krb4' or $umode eq 'krb5') { { my $pf = IO::File->new(">$passfilename"); if ($pf) { print $pf "$umode:$npass\n"; + &update_passwd_history($uname,$udom,$umode,$action); } else { $result = "pass_file_failed_error"; } } } elsif ($umode eq 'internal') { - my $salt=time; - $salt=substr($salt,6,2); - my $ncpass=crypt($npass,$salt); + my $ncpass = &hash_passwd($udom,$npass); { &Debug("Creating internal auth"); my $pf = IO::File->new(">$passfilename"); if($pf) { - print $pf "internal:$ncpass\n"; + print $pf "internal:$ncpass\n"; + &update_passwd_history($uname,$udom,$umode,$action); } else { $result = "pass_file_failed_error"; }