[LON-CAPA-cvs] cvs: loncom(version_2_11_X) / lond

raeburn raeburn at source.lon-capa.org
Thu Aug 11 12:37:54 EDT 2016


raeburn		Thu Aug 11 16:37:54 2016 EDT

  Modified files:              (Branch: version_2_11_X)
    /loncom	lond 
  Log:
  - For 2.11
    - Backport 1.518, 1.524
  
  
-------------- next part --------------
Index: loncom/lond
diff -u loncom/lond:1.489.2.20 loncom/lond:1.489.2.21
--- loncom/lond:1.489.2.20	Thu Aug 11 09:52:39 2016
+++ loncom/lond	Thu Aug 11 16:37:54 2016
@@ -2,7 +2,7 @@
 # The LearningOnline Network
 # lond "LON Daemon" Server (port "LOND" 5663)
 #
-# $Id: lond,v 1.489.2.20 2016/08/11 09:52:39 raeburn Exp $
+# $Id: lond,v 1.489.2.21 2016/08/11 16:37:54 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -55,13 +55,16 @@
 use Fcntl qw(:flock);
 use Apache::lonnet;
 use Mail::Send;
+use Crypt::Eksblowfish::Bcrypt;
+use Digest::SHA;
+use Encode;
 
 my $DEBUG = 0;		       # Non zero to enable debug log entries.
 
 my $status='';
 my $lastlog='';
 
-my $VERSION='$Revision: 1.489.2.20 $'; #' stupid emacs
+my $VERSION='$Revision: 1.489.2.21 $'; #' stupid emacs
 my $remoteVERSION;
 my $currenthostid="default";
 my $currentdomainid;
@@ -2017,15 +2020,14 @@
 	my ($howpwd,$contentpwd)=split(/:/,$realpasswd);
 	if ($howpwd eq 'internal') {
 	    &Debug("internal auth");
-	    my $salt=time;
-	    $salt=substr($salt,6,2);
-	    my $ncpass=crypt($npass,$salt);
+            my $ncpass = &hash_passwd($udom,$npass);
 	    if(&rewrite_password_file($udom, $uname, "internal:$ncpass")) {
 		my $msg="Result of password change for $uname: pwchange_success";
                 if ($lonhost) {
                     $msg .= " - request originated from: $lonhost";
                 }
                 &logthis($msg);
+                &update_passwd_history($uname,$udom,$howpwd,$context);
 		&Reply($client, "ok\n", $userinput);
 	    } else {
 		&logthis("Unable to open $uname passwd "               
@@ -2034,6 +2036,9 @@
 	    }
 	} elsif ($howpwd eq 'unix' && $context ne 'reset_by_email') {
 	    my $result = &change_unix_password($uname, $npass);
+            if ($result eq 'ok') {
+                &update_passwd_history($uname,$udom,$howpwd,$context);
+            }
 	    &logthis("Result of password change for $uname: ".
 		     $result);
 	    &Reply($client, \$result, $userinput);
@@ -2056,6 +2061,42 @@
 }
 &register_handler("passwd", \&change_password_handler, 1, 1, 0);
 
+sub hash_passwd {
+    my ($domain,$plainpass, at rest) = @_;
+    my ($salt,$cost);
+    if (@rest) {
+        $cost = $rest[0];
+        # salt is first 22 characters, base-64 encoded by bcrypt
+        my $plainsalt = substr($rest[1],0,22);
+        $salt = Crypt::Eksblowfish::Bcrypt::de_base64($plainsalt);
+    } else {
+        my $defaultcost;
+        my %domconfig =
+            &Apache::lonnet::get_dom('configuration',['password'],$domain);
+        if (ref($domconfig{'password'}) eq 'HASH') {
+            $defaultcost = $domconfig{'password'}{'cost'};
+        }
+        if (($defaultcost eq '') || ($defaultcost =~ /D/)) {
+            $cost = 10;
+        } else {
+            $cost = $defaultcost;
+        }
+        # Generate random 16-octet base64 salt
+        $salt = "";
+        $salt .= pack("C", int rand(256)) for 1..16;
+    }
+    my $hash = &Crypt::Eksblowfish::Bcrypt::bcrypt_hash({
+        key_nul => 1,
+        cost    => $cost,
+        salt    => $salt,
+    }, Digest::SHA::sha512(Encode::encode('UTF-8',$plainpass)));
+
+    my $result = join("!", "", "bcrypt", sprintf("%02d",$cost),
+                &Crypt::Eksblowfish::Bcrypt::en_base64($salt).
+                &Crypt::Eksblowfish::Bcrypt::en_base64($hash));
+    return $result;
+}
+
 #
 #   Create a new user.  User in this case means a lon-capa user.
 #   The user must either already exist in some authentication realm
@@ -2099,7 +2140,8 @@
 		    ."makeuser";
 	    }
 	    unless ($fperror) {
-		my $result=&make_passwd_file($uname,$udom,$umode,$npass, $passfilename);
+		my $result=&make_passwd_file($uname,$udom,$umode,$npass,
+                                             $passfilename,'makeuser');
 		&Reply($client,\$result, $userinput);     #BUGBUG - could be fail
 	    } else {
 		&Failure($client, \$fperror, $userinput);
@@ -2168,12 +2210,14 @@
 		my $result = &change_unix_password($uname, $npass);
 		&logthis("Result of password change for $uname: ".$result);
 		if ($result eq "ok") {
+                    &update_passwd_history($uname,$udom,$umode,'changeuserauth');
 		    &Reply($client, \$result);
 		} else {
 		    &Failure($client, \$result);
 		}
 	    } else {
-		my $result=&make_passwd_file($uname,$udom,$umode,$npass,$passfilename);
+		my $result=&make_passwd_file($uname,$udom,$umode,$npass,
+                                             $passfilename,'changeuserauth');
 		#
 		#  If the current auth mode is internal, and the old auth mode was
 		#  unix, or krb*,  and the user is an author for this domain,
@@ -2194,6 +2238,17 @@
 }
 &register_handler("changeuserauth", \&change_authentication_handler, 1,1, 0);
 
+sub update_passwd_history {
+    my ($uname,$udom,$umode,$context) = @_;
+    my $proname=&propath($udom,$uname);
+    my $now = time;
+    if (open(my $fh,">>$proname/passwd.log")) {
+        print $fh "$now:$umode:$context\n";
+        close($fh);
+    }
+    return;
+}
+
 #
 #   Determines if this is the home server for a user.  The home server
 #   for a user will have his/her lon-capa passwd file.  Therefore all we need
@@ -7023,7 +7078,18 @@
     } 
     if ($howpwd ne 'nouser') {
 	if($howpwd eq "internal") { # Encrypted is in local password file.
-	    $validated = (crypt($password, $contentpwd) eq $contentpwd);
+            if (length($contentpwd) == 13) {
+                $validated = (crypt($password,$contentpwd) eq $contentpwd);
+                if ($validated) {
+                    my $ncpass = &hash_passwd($domain,$password);
+                    if (&rewrite_password_file($domain,$user,"$howpwd:$ncpass")) {
+                        &update_passwd_history($user,$domain,$howpwd,'conversion');
+                        &logthis("Validated password hashed with bcrypt for $user:$domain");
+                    }
+                }
+            } else {
+                $validated = &check_internal_passwd($password,$contentpwd,$domain);
+            }
 	}
 	elsif ($howpwd eq "unix") { # User is a normal unix user.
 	    $contentpwd = (getpwnam($user))[1];
@@ -7091,6 +7157,39 @@
     return $validated;
 }
 
+sub check_internal_passwd {
+    my ($plainpass,$stored,$domain) = @_;
+    my (undef,$method, at rest) = split(/!/,$stored);
+    if ($method eq "bcrypt") {
+        my $result = &hash_passwd($domain,$plainpass, at rest);
+        if ($result ne $stored) {
+            return 0;
+        }
+        # Upgrade to a larger number of rounds if necessary
+        my $defaultcost;
+        my %domconfig =
+            &Apache::lonnet::get_dom('configuration',['password'],$domain);
+        if (ref($domconfig{'password'}) eq 'HASH') {
+            $defaultcost = $domconfig{'password'}{'cost'};
+        }
+        if (($defaultcost eq '') || ($defaultcost =~ /D/)) {
+            $defaultcost = 10;
+        }
+        return 1 unless($rest[0]<$defaultcost);
+    }
+    return 0;
+}
+
+sub get_last_authchg {
+    my ($domain,$user) = @_;
+    my $lastmod;
+    my $logname = &propath($domain,$user).'/passwd.log';
+    if (-e "$logname") {
+        $lastmod = (stat("$logname"))[9];
+    }
+    return $lastmod;
+}
+
 sub krb4_authen {
     my ($password,$null,$user,$contentpwd) = @_;
     my $validated = 0;
@@ -7406,26 +7505,26 @@
 
 
 sub make_passwd_file {
-    my ($uname,$udom,$umode,$npass,$passfilename)=@_;
+    my ($uname,$udom,$umode,$npass,$passfilename,$action)=@_;
     my $result="ok";
     if ($umode eq 'krb4' or $umode eq 'krb5') {
 	{
 	    my $pf = IO::File->new(">$passfilename");
 	    if ($pf) {
 		print $pf "$umode:$npass\n";
+                &update_passwd_history($uname,$udom,$umode,$action);
 	    } else {
 		$result = "pass_file_failed_error";
 	    }
 	}
     } elsif ($umode eq 'internal') {
-	my $salt=time;
-	$salt=substr($salt,6,2);
-	my $ncpass=crypt($npass,$salt);
+        my $ncpass = &hash_passwd($udom,$npass);
 	{
 	    &Debug("Creating internal auth");
 	    my $pf = IO::File->new(">$passfilename");
 	    if($pf) {
 		print $pf "internal:$ncpass\n"; 
+                &update_passwd_history($uname,$udom,$umode,$action);
 	    } else {
 		$result = "pass_file_failed_error";
 	    }
@@ -7435,6 +7534,7 @@
 	    my $pf = IO::File->new(">$passfilename");
 	    if($pf) {
 		print $pf "localauth:$npass\n";
+                &update_passwd_history($uname,$udom,$umode,$action);
 	    } else {
 		$result = "pass_file_failed_error";
 	    }


More information about the LON-CAPA-cvs mailing list