Search squid archive

Re: Re: Joomla DB authentication support hits Squid! :)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Le samedi 1 mai 2010 20:57:22, Amos Jeffries a écrit :
> Luis Daniel Lucio Quiroz wrote:
> > Le vendredi 23 avril 2010 00:20:13, Amos Jeffries a écrit :
> >> Luis Daniel Lucio Quiroz wrote:
> >>> Le jeudi 22 avril 2010 20:09:57, Amos Jeffries a écrit :
> >>>> Luis Daniel Lucio Quiroz wrote:
> >>>>> Le jeudi 22 avril 2010 15:49:55, Luis Daniel Lucio Quiroz a écrit :
> >>>>>> HI all
> >>>>>> 
> >>>>>> As a requirement of one client, he wants to use joomla user database
> >>>>>> to let squid authenticate.
> >>>>>> 
> >>>>>> I did patch squid_db_auth that Henrik has written in order to
> >>>>>> support joomla hash conditions.
> >>>>>> 
> >>>>>> I did add one usefull option to script
> >>>>>> 
> >>>>>> --joomla
> >>>>>> 
> >>>>>> in order to activate joomla hashing.  Other options are identical.
> >>>>>> Please test :)
> >>>>>> 
> >>>>>> Ammos, I'd like if you can include this in 3.1.2
> >>>> 
> >>>> Mumble.
> >>>> 
> >>>> How do other users feel about it? Useful enough to cross the security
> >>>> bugs and regressions only freeze?
> >>>> 
> >>>>>> LD
> >>>>> 
> >>>>> I have a typo in
> >>>>> my salt
> >>>>> 
> >>>>> should be
> >>>>> my $salt
> >>>>> 
> >>>>> sorry
> >>>> 
> >>>> Can you make the option --md5 instead please?
> >>>> 
> >>>>   Possibilities are not limited to Joomla and they may change someday.
> >>>> 
> >>>> The option needs to be added to the documentation sections of the
> >>>> helper as well.
> >>>> 
> >>>> Amos
> >>> 
> >>> I dont get you about "cross the security",
> >> 
> >> 3.1 is under feature freeze. Anything not a security fix or regression
> >> needs to have some good reasons to be committed.
> >> 
> >> I'm trying to stick to the freeze a little more with 3.1 than with 3.0,
> >> to get back into the habit of it. Particularly since we look like having
> >> a good foothold on the track for 12-month releases now.
> >> 
> >>> what i did is that --joomla flag do diferent sql request and because
> >>> joomla hass is like this:
> >>> hash:salt
> >>> i did split and compare.  by default joomla uses md5 (i'm not a joomla
> >>> master, i dont know when joomla uses other hashings)
> >> 
> >> I intend to use this auth helper myself for other systems, and there are
> >> others who ask about a DB helper occasionally.
> >> 
> >> 
> >> Taking a better look at your changes ...
> >> 
> >> The first one: db_conf = "block = 0"  seems to be useless. All it does
> >> is hard-code a different default value for the --cond option.
> >> 
> >>    For Joomla the squid.conf should instead contain:
> >>       --cond " block=0 "
> >> 
> >> Which leaves the salted/non-salted hash change.
> >> 
> >> Adding this:
> >>    --salt-delimiter D
> >> 
> >> To configure character(s) between the hash and salt values.  Will not to
> >> lock people into the specific Joomla syntax of colon.  There are
> >> examples and tutorials out there for app design that use other
> >> delimiters.
> >> 
> >> Doing both of those changes Joomla would be configured with:
> >>    ... --cond " block=0 "  --salt-delimiter ":"
> >>> 
> >>> if you want, latter i may add also --md5 to store md5 password, and
> >>> --digest- auth to support diggest authentication :) but later jejeje
> >> 
> >> Amos
> > 
> > HI
> > i've just update my patch to fit 3.1.2
> > 
> > 
> > I hope this could be included since it is based on todays snapshot.
> > 
> > Regards,
> > 
> > LD
> 
> Thank you.
> 
> You still have the --joomla flag. I thought you agreed to call it
> something like the --salt and take the delim character ?
> 
> Amos

Amos + team,

i was adding salt support and i realize of this line
 return 1 if crypt($password, $key) eq $key;

as far as i know this is impossible, because    crypt using a salt wont be eq 
to that key,   
because there are many scenarios i did let this line in my patch and add 
another to use static salt

I also add a --sql option to let user specify complex querys.  As i was 
needint it to work with an INNER JOIN.

I hope you can review it.

LD

--- helpers/basic_auth/DB/squid_db_auth.in.orig	2010-05-03 18:36:22.000000000 +0200
+++ helpers/basic_auth/DB/squid_db_auth.in	2010-05-07 22:54:50.000000000 +0200
@@ -1,8 +1,9 @@
 #!@PERL@
-use strict;
+#use strict;
 use DBI;
 use Getopt::Long;
 use Pod::Usage;
+use Digest::MD5 qw(md5 md5_hex md5_base64);
 $|=1;
 
 =pod
@@ -22,6 +23,10 @@
 my $db_cond = "enabled = 1";
 my $plaintext = 0;
 my $persist = 0;
+my $isjoomla = 0;
+my $debug = 0;
+my $hashsalt = undef;
+my $sql = undef;
 
 =pod
 
@@ -62,15 +67,30 @@
 =item	B<--cond>
 
 Condition, defaults to enabled=1. Specify 1 or "" for no condition
+If you use --joomla flag, this condition will be changed to block=0
 
 =item	B<--plaintext>
 
 Database contains plain-text passwords
 
+=item	B<--salt>
+
+Selects the correct salt to evaluate passwords
+
 =item	B<--persist>
 
 Keep a persistent database connection open between queries. 
 
+=item  B<--joomla>
+
+Tells helper that user database is joomla db.  So salt hasing is 
+understood.
+
+=item   B<--sql>
+
+Tells the helper that this query will be used.  Remember to use ? 
+(question mark) in a sentence search username like: "WHERE user = ?"
+
 =back
 
 =cut
@@ -85,9 +105,14 @@
 	'cond=s' => \$db_cond,
 	'plaintext' => \$plaintext,
 	'persist' => \$persist,
+	'joomla' => \$isjoomla,
+	'debug' => \$debug,
+	'salt=s' => \$hashsalt,
+	'sql=s' => \$sql,
 	);
 
 my ($_dbh, $_sth);
+$db_cond = "block = 0" if $isjoomla;
 
 sub close_db()
 {
@@ -105,7 +130,16 @@
     	warn ("Could not connect to $dsn\n");
 	return undef;
     }
-    $_sth = $_dbh->prepare("SELECT $db_passwdcol FROM $db_table WHERE $db_usercol = ?" . ($db_cond ne "" ? " AND $db_cond" : "")) || die;
+    my $sql_query;
+
+	if (!defined $sql) {
+		$sql_query = "SELECT $db_passwdcol FROM $db_table WHERE $db_usercol = ?" . ($db_cond ne "" ? " AND $db_cond" : "");
+	}
+	else{
+		$sql_query = $sql;
+	}
+
+    $_sth = $_dbh->prepare($sql_query) || die;
     return $_sth;
 }
 
@@ -113,9 +147,19 @@
 {
     my ($password, $key) = @_;
 
-    return 1 if crypt($password, $key) eq $key;
-    
-    return 1 if $plaintext && $password eq $key;
+    if ($isjoomla){
+        my $salt;
+        my $key2;
+        ($key2,$salt) = split (/$salt/, $key);
+        return 1 if md5_hex($password.$salt).':'.$salt eq $key;
+    }
+    else{
+
+        return 1 if defined $hashsalt && crypt($password, $hashsalt) eq $key;
+        return 1 if crypt($password, $key) eq $key;
+     
+        return 1 if $plaintext && $password eq $key;
+    }
 
     return 0;
 }
@@ -155,6 +199,7 @@
 =head1 COPYRIGHT
 
 Copyright (C) 2007 Henrik Nordstrom <henrik@xxxxxxxxxxxxxxxxxxx>
+Copyright (C) 2010 Luis Daniel Lucio Quiroz <dlucio@xxxxxxxxxxx> (Joomla support)
 This program is free software. You may redistribute copies of it under the
 terms of the GNU General Public License version 2, or (at youropinion) any
 later version.
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux