aboutsummaryrefslogtreecommitdiff
path: root/main.go
diff options
context:
space:
mode:
authorSimon Beck <simon.beck@earthnet.ch>2022-02-08 17:59:59 +0100
committerSimon Beck <simon.beck@earthnet.ch>2022-02-10 20:51:01 +0100
commitf05e41c9aad83f3d45aff620a739a116c32b4c47 (patch)
tree13c8de24260478e90419292ffd6c3035d1f95ee6 /main.go
parentdbd900371466edfdc7bb7f09080c6698e4f8e647 (diff)
downloadbottin-f05e41c9aad83f3d45aff620a739a116c32b4c47.tar.gz
bottin-f05e41c9aad83f3d45aff620a739a116c32b4c47.zip
Improve password hash handling
This adds support for more hash algorithms. Also a stored password will be updated to SSHA512 upon a successful bind. It will also automatically hash a cleartext password if the `userpassword` field is modified with a cleartext one. Hashes supported: * SSHA * SSHA256 * SSHA512
Diffstat (limited to 'main.go')
-rw-r--r--main.go39
1 files changed, 33 insertions, 6 deletions
diff --git a/main.go b/main.go
index 4e5abce..2b37803 100644
--- a/main.go
+++ b/main.go
@@ -12,8 +12,8 @@ import (
"os/signal"
"syscall"
- ldap "bottin/ldapserver"
message "bottin/goldap"
+ ldap "bottin/ldapserver"
consul "github.com/hashicorp/consul/api"
log "github.com/sirupsen/logrus"
@@ -320,7 +320,6 @@ func (server *Server) init() error {
return err
}
-
admin_pass_str, environnement_variable_exist := os.LookupEnv("BOTTIN_DEFAULT_ADMIN_PW")
if !environnement_variable_exist {
admin_pass := make([]byte, 8)
@@ -329,11 +328,15 @@ func (server *Server) init() error {
return err
}
admin_pass_str = base64.RawURLEncoding.EncodeToString(admin_pass)
- } else {
+ } else {
server.logger.Debug("BOTTIN_DEFAULT_ADMIN_PW environment variable is set, using it for admin's password")
}
- admin_pass_hash := SSHAEncode([]byte(admin_pass_str))
+ admin_pass_hash, err := SSHAEncode(admin_pass_str)
+ if err != nil {
+ server.logger.Error("can't create admin password")
+ panic(err)
+ }
admin_dn := "cn=admin," + server.config.Suffix
admin_attributes := Entry{
@@ -434,8 +437,8 @@ func (server *Server) handleBindInternal(state *State, r *message.BindRequest) (
}
for _, hash := range passwd {
- valid := SSHAMatches(hash, []byte(r.AuthenticationSimple()))
- if valid {
+ valid, err := SSHAMatches(hash, string(r.AuthenticationSimple()))
+ if valid && err == nil {
groups, err := server.getAttribute(string(r.Name()), ATTR_MEMBEROF)
if err != nil {
return ldap.LDAPResultOperationsError, err
@@ -444,8 +447,32 @@ func (server *Server) handleBindInternal(state *State, r *message.BindRequest) (
user: string(r.Name()),
groups: groups,
}
+
+ updatePasswordHash(string(r.AuthenticationSimple()), hash, server, string(r.Name()))
+
return ldap.LDAPResultSuccess, nil
+ } else {
+ return ldap.LDAPResultInvalidCredentials, fmt.Errorf("can't authenticate: %w", err)
}
}
return ldap.LDAPResultInvalidCredentials, fmt.Errorf("No password match")
}
+
+// Update the hash if it's not already SSHA512
+func updatePasswordHash(password string, currentHash string, server *Server, dn string) {
+ hashType, err := determineHashType(currentHash)
+ if err != nil {
+ server.logger.Errorf("can't determine hash type of password")
+ return
+ }
+ if hashType != SSHA512 {
+ reencodedPassword, err := SSHAEncode(password)
+ if err != nil {
+ server.logger.Errorf("can't encode password")
+ return
+ }
+ server.putAttributes(dn, Entry{
+ ATTR_USERPASSWORD: []string{reencodedPassword},
+ })
+ }
+}