encrypt_pw: avoid '+' for crypt salt

[pve-access-control.git] / PVE / Auth / Plugin.pm

diff --git a/PVE/Auth/Plugin.pm b/PVE/Auth/Plugin.pm
index 13083406a1c66f66be22473f670e3e525178f570..3356f691c55d1b5ff8bc3e1b5c5a54e63ac57a8e 100755 (executable)
--- a/PVE/Auth/Plugin.pm
+++ b/PVE/Auth/Plugin.pm
@@ -116,6 +116,10 @@ sub parse_tfa_config {
            $res->{key} = $1;
        } elsif ($kvp =~ m/^url=(\S+)$/) {
            $res->{url} = $1;
            $res->{key} = $1;
        } elsif ($kvp =~ m/^url=(\S+)$/) {
            $res->{url} = $1;

+       } elsif ($kvp =~ m/^digits=([6|7|8])$/) {
+           $res->{digits} = $1;
+       } elsif ($kvp =~ m/^step=([1-9]\d+)$/) {
+           $res->{step} = $1;

        } else {
            return undef;
        }           
        } else {
            return undef;
        }           


@@ -126,11 +130,18 @@ sub parse_tfa_config {
     return $res;
 }
 
     return $res;
 }
 

+my $salt_starter = time();
+

 sub encrypt_pw {
     my ($pw) = @_;
 
 sub encrypt_pw {
     my ($pw) = @_;
 

-    my $time = substr(Digest::SHA::sha1_base64 (time), 0, 8);
-    return crypt(encode("utf8", $pw), "\$5\$$time\$");
+    $salt_starter++;
+    my $salt = substr(Digest::SHA::sha1_base64(time() + $salt_starter + $$), 0, 8);
+
+    # crypt does not want '+' in salt (see 'man crypt')
+    $salt =~ s/\+/X/g;
+
+    return crypt(encode("utf8", $pw), "\$5\$$salt\$");

 }
 
 my $defaultData = {
 }
 
 my $defaultData = {


@@ -198,9 +209,6 @@ sub parse_config {
 sub write_config {
     my ($class, $filename, $cfg) = @_;
 
 sub write_config {
     my ($class, $filename, $cfg) = @_;
 

-    delete $cfg->{ids}->{pve};
-    delete $cfg->{ids}->{pam};
-

     foreach my $realm (keys %{$cfg->{ids}}) {
        my $data = $cfg->{ids}->{$realm};
        if ($data->{comment}) {
     foreach my $realm (keys %{$cfg->{ids}}) {
        my $data = $cfg->{ids}->{$realm};
        if ($data->{comment}) {