diff --git a/modules/authcrypt/docs/authcrypt.md b/modules/authcrypt/docs/authcrypt.md
index 8319840f3e23281811d88eeaabca46d0c4ba8102..148b9ebed0088456755cb360bde29bc9a9a9b428 100644
--- a/modules/authcrypt/docs/authcrypt.md
+++ b/modules/authcrypt/docs/authcrypt.md
@@ -17,38 +17,38 @@ This is based on `exampleAuth:UserPass`, and adds support for hashed passwords.
Hashes can be generated with the included command line tool `bin/pwgen.sh`.
This tool will interactively ask for a password, a hashing algorithm , and whether or not you want to use a salt:
- [user@server simplesamlphp]$ bin/pwgen.php
- Enter password: hackme
- The following hashing algorithms are available:
- md2 md4 md5 sha1 sha224 sha256
- sha384 sha512 ripemd128 ripemd160 ripemd256 ripemd320
- whirlpool tiger128,3 tiger160,3 tiger192,3 tiger128,4 tiger160,4
- tiger192,4 snefru snefru256 gost adler32 crc32
- crc32b salsa10 salsa20 haval128,3 haval160,3 haval192,3
- haval224,3 haval256,3 haval128,4 haval160,4 haval192,4 haval224,4
- haval256,4 haval128,5 haval160,5 haval192,5 haval224,5 haval256,5
-
- Which one do you want? [sha256]
- Do you want to use a salt? (yes/no) [yes]
-
- {SSHA256}y1mj3xsZ4/+LoQyPNVJzXUFfBcLHfwcHx1xxltxeQ1C5MeyEX/RxWA==
+ [user@server simplesamlphp]$ bin/pwgen.php
+ Enter password: hackme
+ The following hashing algorithms are available:
+ md2 md4 md5 sha1 sha224 sha256
+ sha384 sha512 ripemd128 ripemd160 ripemd256 ripemd320
+ whirlpool tiger128,3 tiger160,3 tiger192,3 tiger128,4 tiger160,4
+ tiger192,4 snefru snefru256 gost adler32 crc32
+ crc32b salsa10 salsa20 haval128,3 haval160,3 haval192,3
+ haval224,3 haval256,3 haval128,4 haval160,4 haval192,4 haval224,4
+ haval256,4 haval128,5 haval160,5 haval192,5 haval224,5 haval256,5
+
+ Which one do you want? [sha256]
+ Do you want to use a salt? (yes/no) [yes]
+
+ {SSHA256}y1mj3xsZ4/+LoQyPNVJzXUFfBcLHfwcHx1xxltxeQ1C5MeyEX/RxWA==
Now create an authentication source in `config/authsources.php` and use the resulting string as the password:
- 'example-hashed' => array(
- 'authCrypt:Hash',
- 'student:{SSHA256}y1mj3xsZ4/+LoQyPNVJzXUFfBcLHfwcHx1xxltxeQ1C5MeyEX/RxWA==' => array(
- 'uid' => array('student'),
- 'eduPersonAffiliation' => array('member', 'student'),
- ),
- ),
+ 'example-hashed' => array(
+ 'authCrypt:Hash',
+ 'student:{SSHA256}y1mj3xsZ4/+LoQyPNVJzXUFfBcLHfwcHx1xxltxeQ1C5MeyEX/RxWA==' => array(
+ 'uid' => array('student'),
+ 'eduPersonAffiliation' => array('member', 'student'),
+ ),
+ ),
This example creates a user `student` with password `hackme`, and some attributes.
### Compatibility ###
The generated hashes can also be used in `config.php` for the administrative password:
- 'auth.adminpassword' => '{SSHA256}y1mj3xsZ4/+LoQyPNVJzXUFfBcLHfwcHx1xxltxeQ1C5MeyEX/RxWA==',
+ 'auth.adminpassword' => '{SSHA256}y1mj3xsZ4/+LoQyPNVJzXUFfBcLHfwcHx1xxltxeQ1C5MeyEX/RxWA==',
Instead of generating hashes, you can also use existing ones from OpenLDAP, provided that the `userPassword` attribute is stored as MD5, SMD5, SHA, or SSHA.
@@ -62,12 +62,12 @@ The simple structure of the `.htpasswd` file does not allow for per-user attribu
An example authentication source in `config/authsources.php` could look like this:
- 'htpasswd' => array(
- 'authcrypt:Htpasswd',
- 'htpasswd_file' => '/var/www/foo.edu/legacy_app/.htpasswd',
- 'static_attributes' => array(
- 'eduPersonAffiliation' => array('member', 'employee'),
- 'Organization' => array('University of Foo'),
- ),
- ),
+ 'htpasswd' => array(
+ 'authcrypt:Htpasswd',
+ 'htpasswd_file' => '/var/www/foo.edu/legacy_app/.htpasswd',
+ 'static_attributes' => array(
+ 'eduPersonAffiliation' => array('member', 'employee'),
+ 'Organization' => array('University of Foo'),
+ ),
+ ),
diff --git a/modules/authcrypt/lib/Auth/Source/Hash.php b/modules/authcrypt/lib/Auth/Source/Hash.php
index 98675c2185dcf081f13ea392accc3dc8045929c2..ef5b35b335d490ca96829f9e1365a18bf0aabe1e 100644
--- a/modules/authcrypt/lib/Auth/Source/Hash.php
+++ b/modules/authcrypt/lib/Auth/Source/Hash.php
@@ -1,5 +1,6 @@
<?php
+
/**
* Authentication source for username & hashed password.
*
@@ -9,87 +10,94 @@
* @author Dyonisius Visser, TERENA.
* @package SimpleSAMLphp
*/
-class sspmod_authcrypt_Auth_Source_Hash extends sspmod_core_Auth_UserPassBase {
-
+class sspmod_authcrypt_Auth_Source_Hash extends sspmod_core_Auth_UserPassBase
+{
- /**
- * Our users, stored in an associative array. The key of the array is "<username>:<passwordhash>",
- * while the value of each element is a new array with the attributes for each user.
- */
- private $users;
+ /**
+ * Our users, stored in an associative array. The key of the array is "<username>:<passwordhash>",
+ * while the value of each element is a new array with the attributes for each user.
+ */
+ private $users;
- /**
- * Constructor for this authentication source.
- *
- * @param array $info Information about this authentication source.
- * @param array $config Configuration.
- */
- public function __construct($info, $config) {
- assert('is_array($info)');
- assert('is_array($config)');
- // Call the parent constructor first, as required by the interface
- parent::__construct($info, $config);
+ /**
+ * Constructor for this authentication source.
+ *
+ * @param array $info Information about this authentication source.
+ * @param array $config Configuration.
+ *
+ * @throws Exception in case of a configuration error.
+ */
+ public function __construct($info, $config)
+ {
+ assert('is_array($info)');
+ assert('is_array($config)');
- $this->users = array();
+ // Call the parent constructor first, as required by the interface
+ parent::__construct($info, $config);
- // Validate and parse our configuration
- foreach ($config as $userpass => $attributes) {
- if (!is_string($userpass)) {
- throw new Exception('Invalid <username>:<passwordhash> for authentication source ' .
- $this->authId . ': ' . $userpass);
- }
+ $this->users = array();
- $userpass = explode(':', $userpass, 2);
- if (count($userpass) !== 2) {
- throw new Exception('Invalid <username>:<passwordhash> for authentication source ' .
- $this->authId . ': ' . $userpass[0]);
- }
- $username = $userpass[0];
- $passwordhash = $userpass[1];
+ // Validate and parse our configuration
+ foreach ($config as $userpass => $attributes) {
+ if (!is_string($userpass)) {
+ throw new Exception('Invalid <username>:<passwordhash> for authentication source '.
+ $this->authId.': '.$userpass);
+ }
- try {
- $attributes = SimpleSAML\Utils\Attributes::normalizeAttributesArray($attributes);
- } catch(Exception $e) {
- throw new Exception('Invalid attributes for user ' . $username .
- ' in authentication source ' . $this->authId . ': ' .
- $e->getMessage());
- }
+ $userpass = explode(':', $userpass, 2);
+ if (count($userpass) !== 2) {
+ throw new Exception('Invalid <username>:<passwordhash> for authentication source '.
+ $this->authId.': '.$userpass[0]);
+ }
+ $username = $userpass[0];
+ $passwordhash = $userpass[1];
- $this->users[$username . ':' . $passwordhash] = $attributes;
- }
- }
+ try {
+ $attributes = SimpleSAML\Utils\Attributes::normalizeAttributesArray($attributes);
+ } catch (Exception $e) {
+ throw new Exception('Invalid attributes for user '.$username.
+ ' in authentication source '.$this->authId.': '.
+ $e->getMessage());
+ }
+ $this->users[$username.':'.$passwordhash] = $attributes;
+ }
+ }
- /**
- * Attempt to log in using the given username and password.
- *
- * On a successful login, this function should return the users attributes. On failure,
- * it should throw an exception. If the error was caused by the user entering the wrong
- * username OR password, a SimpleSAML_Error_Error('WRONGUSERPASS') should be thrown.
- *
- * The username is UTF-8 encoded, and the hash is base64 encoded.
- *
- * @param string $username The username the user wrote.
- * @param string $password The password the user wrote.
- * @return array Associative array with the users attributes.
- */
- protected function login($username, $password) {
- assert('is_string($username)');
- assert('is_string($password)');
- foreach($this->users as $userpass=>$attrs) {
- $matches = explode(':', $userpass, 2);
- if ($matches[0] === $username) {
- if(SimpleSAML\Utils\Crypto::pwValid($matches[1], $password)) {
- return $this->users[$userpass];
- } else {
- SimpleSAML\Logger::debug('Incorrect password "' . $password . '" for user '. $username);
- }
- }
- }
- throw new SimpleSAML_Error_Error('WRONGUSERPASS');
- }
+ /**
+ * Attempt to log in using the given username and password.
+ *
+ * On a successful login, this function should return the users attributes. On failure,
+ * it should throw an exception. If the error was caused by the user entering the wrong
+ * username OR password, a SimpleSAML_Error_Error('WRONGUSERPASS') should be thrown.
+ *
+ * The username is UTF-8 encoded, and the hash is base64 encoded.
+ *
+ * @param string $username The username the user wrote.
+ * @param string $password The password the user wrote.
+ *
+ * @return array Associative array with the users attributes.
+ *
+ * @throws SimpleSAML_Error_Error if authentication fails.
+ */
+ protected function login($username, $password)
+ {
+ assert('is_string($username)');
+ assert('is_string($password)');
+ foreach ($this->users as $userpass => $attrs) {
+ $matches = explode(':', $userpass, 2);
+ if ($matches[0] === $username) {
+ if (SimpleSAML\Utils\Crypto::pwValid($matches[1], $password)) {
+ return $attrs;
+ } else {
+ SimpleSAML\Logger::debug('Incorrect password "'.$password.'" for user '.$username);
+ }
+ }
+ }
+ throw new SimpleSAML_Error_Error('WRONGUSERPASS');
+ }
}
diff --git a/modules/authcrypt/lib/Auth/Source/Htpasswd.php b/modules/authcrypt/lib/Auth/Source/Htpasswd.php
index 5731f4af191080c0dca1ca7bb3076c950cc5a053..5b9ffc3f38321548e1a2cd311ae170e73e0a3aa5 100644
--- a/modules/authcrypt/lib/Auth/Source/Htpasswd.php
+++ b/modules/authcrypt/lib/Auth/Source/Htpasswd.php
@@ -9,93 +9,113 @@
use WhiteHat101\Crypt\APR1_MD5;
-class sspmod_authcrypt_Auth_Source_Htpasswd extends sspmod_core_Auth_UserPassBase {
-
-
- /**
- * Our users, stored in an array, where each value is "<username>:<passwordhash>".
- */
- private $users;
-
- /**
- * Constructor for this authentication source.
- *
- * @param array $info Information about this authentication source.
- * @param array $config Configuration.
- */
- public function __construct($info, $config) {
- assert('is_array($info)');
- assert('is_array($config)');
-
- // Call the parent constructor first, as required by the interface
- parent::__construct($info, $config);
-
- $this->users = array();
-
- if(!$htpasswd = file_get_contents($config['htpasswd_file'])) {
- throw new Exception('Could not read ' . $config['htpasswd_file']);
- }
-
- $this->users = explode("\n", trim($htpasswd));
-
- try {
- $this->attributes = SimpleSAML\Utils\Attributes::normalizeAttributesArray($config['static_attributes']);
- } catch(Exception $e) {
- throw new Exception('Invalid static_attributes in authentication source ' .
- $this->authId . ': ' . $e->getMessage());
- }
- }
-
-
- /**
- * Attempt to log in using the given username and password.
- *
- * On a successful login, this function should return the username as 'uid' attribute,
- * and merged attributes from the configuration file.
- * On failure, it should throw an exception. A SimpleSAML_Error_Error('WRONGUSERPASS')
- * should be thrown in case of a wrong username OR a wrong password, to prevent the
- * enumeration of usernames.
- *
- * @param string $username The username the user wrote.
- * @param string $password The password the user wrote.
- * @return array Associative array with the users attributes.
- */
- protected function login($username, $password) {
- assert('is_string($username)');
- assert('is_string($password)');
-
- foreach($this->users as $userpass) {
- $matches = explode(':', $userpass, 2);
- if($matches[0] == $username) {
-
- $crypted = $matches[1];
-
- // This is about the only attribute we can add
- $attributes = array_merge(array('uid' => array($username)), $this->attributes);
-
- // Traditional crypt(3)
- if (SimpleSAML\Utils\Crypto::secureCompare($crypted, crypt($password, $crypted))) {
- SimpleSAML\Logger::debug('User '. $username . ' authenticated successfully');
- SimpleSAML\Logger::warning('CRYPT authentication is insecure. Please consider using something else.');
- return $attributes;
- }
-
- // Apache's custom MD5
- if(APR1_MD5::check($password, $crypted)) {
- SimpleSAML\Logger::debug('User '. $username . ' authenticated successfully');
- return $attributes;
- }
-
- // SHA1 or plain-text
- if(SimpleSAML\Utils\Crypto::pwValid($crypted, $password)) {
- SimpleSAML\Logger::debug('User '. $username . ' authenticated successfully');
- SimpleSAML\Logger::warning('SHA1 and PLAIN TEXT authentication are insecure. Please consider using something else.');
- return $attributes;
- }
- throw new SimpleSAML_Error_Error('WRONGUSERPASS');
- }
- }
- throw new SimpleSAML_Error_Error('WRONGUSERPASS');
- }
-
+class sspmod_authcrypt_Auth_Source_Htpasswd extends sspmod_core_Auth_UserPassBase
+{
+
+
+ /**
+ * Our users, stored in an array, where each value is "<username>:<passwordhash>".
+ *
+ * @var array
+ */
+ private $users;
+
+ /**
+ * An array containing static attributes for our users.
+ *
+ * @var array
+ */
+ private $attributes = array();
+
+
+ /**
+ * Constructor for this authentication source.
+ *
+ * @param array $info Information about this authentication source.
+ * @param array $config Configuration.
+ *
+ * @throws Exception if the htpasswd file is not readable or the static_attributes array is invalid.
+ */
+ public function __construct($info, $config)
+ {
+ assert('is_array($info)');
+ assert('is_array($config)');
+
+ // Call the parent constructor first, as required by the interface
+ parent::__construct($info, $config);
+
+ $this->users = array();
+
+ if (!$htpasswd = file_get_contents($config['htpasswd_file'])) {
+ throw new Exception('Could not read '.$config['htpasswd_file']);
+ }
+
+ $this->users = explode("\n", trim($htpasswd));
+
+ try {
+ $this->attributes = SimpleSAML\Utils\Attributes::normalizeAttributesArray($config['static_attributes']);
+ } catch (Exception $e) {
+ throw new Exception('Invalid static_attributes in authentication source '.
+ $this->authId.': '.$e->getMessage());
+ }
+ }
+
+
+ /**
+ * Attempt to log in using the given username and password.
+ *
+ * On a successful login, this function should return the username as 'uid' attribute,
+ * and merged attributes from the configuration file.
+ * On failure, it should throw an exception. A SimpleSAML_Error_Error('WRONGUSERPASS')
+ * should be thrown in case of a wrong username OR a wrong password, to prevent the
+ * enumeration of usernames.
+ *
+ * @param string $username The username the user wrote.
+ * @param string $password The password the user wrote.
+ *
+ * @return array Associative array with the users attributes.
+ *
+ * @throws SimpleSAML_Error_Error if authentication fails.
+ */
+ protected function login($username, $password)
+ {
+ assert('is_string($username)');
+ assert('is_string($password)');
+
+ foreach ($this->users as $userpass) {
+ $matches = explode(':', $userpass, 2);
+ if ($matches[0] == $username) {
+ $crypted = $matches[1];
+
+ // This is about the only attribute we can add
+ $attributes = array_merge(array('uid' => array($username)), $this->attributes);
+
+ // Traditional crypt(3)
+ if (SimpleSAML\Utils\Crypto::secureCompare($crypted, crypt($password, $crypted))) {
+ SimpleSAML\Logger::debug('User '.$username.' authenticated successfully');
+ SimpleSAML\Logger::warning(
+ 'CRYPT authentication is insecure. Please consider using something else.'
+ );
+ return $attributes;
+ }
+
+ // Apache's custom MD5
+ if (APR1_MD5::check($password, $crypted)) {
+ SimpleSAML\Logger::debug('User '.$username.' authenticated successfully');
+ return $attributes;
+ }
+
+ // SHA1 or plain-text
+ if (SimpleSAML\Utils\Crypto::pwValid($crypted, $password)) {
+ SimpleSAML\Logger::debug('User '.$username.' authenticated successfully');
+ SimpleSAML\Logger::warning(
+ 'SHA1 and PLAIN TEXT authentication are insecure. Please consider using something else.'
+ );
+ return $attributes;
+ }
+ throw new SimpleSAML_Error_Error('WRONGUSERPASS');
+ }
+ }
+ throw new SimpleSAML_Error_Error('WRONGUSERPASS');
+ }
}