Skip to content

Commit

Permalink
Disable logging of plaintext passwords in debugging and cleanup of code
Browse files Browse the repository at this point in the history
  • Loading branch information
@eyazi
eyazi committed Aug 27, 2024
1 parent 149fa12 commit 97965d3
Show file tree
Hide file tree
Showing 6 changed files with 44 additions and 18 deletions.
15 changes: 12 additions & 3 deletions Kernel/System/Auth/DB.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -178,7 +178,7 @@ sub Auth {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'error',
Message =>
"User: '$User' tried to authenticate with bcrypt but 'Crypt::Eksblowfish::Bcrypt' is not installed!",
"User: $User tried to authenticate with bcrypt but 'Crypt::Eksblowfish::Bcrypt' is not installed!",
);
return;
}
Expand Down Expand Up @@ -244,11 +244,20 @@ sub Auth {
}

# just in case for debug!
if ( $Self->{Debug} > 0 && $Method ne 'plain' ) {
if ( $Self->{Debug} > 0 ) {
my $EnteredPw = $CryptedPw;
my $ExpectedPw = $GetPw;

# Don't log plaintext passwords.
if ( $Method eq 'plain' ) {
$EnteredPw = 'xxx';
$ExpectedPw = 'xxx';
}

$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message =>
"User: '$User' tried to authenticate with Pw: '$Pw' ($UserID/$Method/$CryptedPw/$GetPw/$Salt/$RemoteAddr)",
"User: $User tried to authenticate (User ID: $UserID, method: $Method, entered password: $EnteredPw, expected password: $ExpectedPw, salt: $Salt, remote address: $RemoteAddr)",
);
}

Expand Down
5 changes: 2 additions & 3 deletions Kernel/System/Auth/LDAP.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -151,7 +151,7 @@ sub Auth {
if ( $Self->{Debug} > 0 ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message => "User: ($Param{User}) added $Self->{UserSuffix} to username!",
Message => "User: $Param{User} added $Self->{UserSuffix} to username!",
);
}
}
Expand All @@ -160,8 +160,7 @@ sub Auth {
if ( $Self->{Debug} > 0 ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message => "User: '$Param{User}' tried to authenticate with Pw: '$Param{Pw}' "
. "(REMOTE_ADDR: $RemoteAddr)",
Message => "User: $Param{User} tried to authenticate (REMOTE_ADDR: $RemoteAddr)",
);
}

Expand Down
2 changes: 1 addition & 1 deletion Kernel/System/Auth/Radius.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ sub Auth {
if ( $Self->{Debug} > 0 ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message => "User: '$User' tried to authenticate with Pw: '$Pw' ($RemoteAddr)",
Message => "User: $User tried to authenticate (REMOTE_ADDR: $RemoteAddr)",
);
}

Expand Down
27 changes: 23 additions & 4 deletions Kernel/System/CustomerAuth/DB.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,7 @@ sub Auth {
my $RemoteAddr = $ENV{REMOTE_ADDR} || 'Got no REMOTE_ADDR env!';
my $UserID = '';
my $GetPw = '';
my $Method;

# sql query
$Self->{DBObject}->Prepare(
Expand Down Expand Up @@ -143,6 +144,7 @@ sub Auth {

if ( $Self->{CryptType} eq 'plain' ) {
$CryptedPw = $Pw;
$Method = 'plain';
}

# md5 or sha pw
Expand All @@ -161,9 +163,11 @@ sub Auth {

if ( $Magic eq '$apr1$' ) {
$CryptedPw = apache_md5_crypt( $Pw, $Salt );
$Method = 'apache_md5_crypt';
}
else {
$CryptedPw = unix_md5_crypt( $Pw, $Salt );
$Method = 'unix_md5_crypt';
}
$EncodeObject->EncodeInput( \$CryptedPw );
}
Expand All @@ -176,6 +180,7 @@ sub Auth {
$SHAObject->add($Pw);
$CryptedPw = $SHAObject->hexdigest();
$EncodeObject->EncodeInput( \$CryptedPw );
$Method = 'sha256';
}

# sha512 pw
Expand All @@ -186,6 +191,7 @@ sub Auth {
$SHAObject->add($Pw);
$CryptedPw = $SHAObject->hexdigest();
$EncodeObject->EncodeInput( \$CryptedPw );
$Method = 'sha512';
}

elsif ( $GetPw =~ m{^BCRYPT:} ) {
Expand All @@ -196,7 +202,7 @@ sub Auth {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'error',
Message =>
"User: '$User' tried to authenticate with bcrypt but 'Crypt::Eksblowfish::Bcrypt' is not installed!",
"CustomerUser: $User tried to authenticate with bcrypt but 'Crypt::Eksblowfish::Bcrypt' is not installed!",
);
return;
}
Expand All @@ -218,6 +224,7 @@ sub Auth {
);

$CryptedPw = "BCRYPT:$Cost:$Salt:" . Crypt::Eksblowfish::Bcrypt::en_base64($Octets);
$Method = 'bcrypt';
}

# sha1 pw
Expand All @@ -231,6 +238,7 @@ sub Auth {
$SHAObject->add($Pw);
$CryptedPw = $SHAObject->hexdigest();
$EncodeObject->EncodeInput( \$CryptedPw );
$Method = 'sha1';
}

# No-13-chars-long crypt pw (e.g. in Fedora28).
Expand All @@ -242,6 +250,7 @@ sub Auth {
# Encode output, needed by crypt() only non utf8 signs.
$CryptedPw = crypt( $Pw, $SaltUser );
$EncodeObject->EncodeInput( \$CryptedPw );
$Method = 'crypt';
}
}

Expand All @@ -259,14 +268,24 @@ sub Auth {
# encode output, needed by crypt() only non utf8 signs
$CryptedPw = crypt( $Pw, $Salt );
$EncodeObject->EncodeInput( \$CryptedPw );
$Method = 'crypt';
}

# just in case!
if ( $Self->{Debug} > 0 && $Self->{CryptType} ne 'plain' ) {
if ( $Self->{Debug} > 0 ) {
my $EnteredPw = $CryptedPw;
my $ExpectedPw = $GetPw;

# Don't log plaintext passwords.
if ( $Self->{CryptType} eq 'plain' ) {
$EnteredPw = 'xxx';
$ExpectedPw = 'xxx';
}

$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message => "CustomerUser: '$User' tried to authenticate with Pw: '$Pw' "
. "($UserID/$CryptedPw/$GetPw/$Salt/$RemoteAddr)",
Message =>
"CustomerUser: $User tried to authenticate (User ID: $UserID, method: $Method, entered password: $EnteredPw, expected password: $ExpectedPw, salt: $Salt, remote address: $RemoteAddr)",
);
}

Expand Down
7 changes: 3 additions & 4 deletions Kernel/System/CustomerAuth/LDAP.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,7 @@ sub Auth {
if ( $Self->{Debug} > 0 ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message => "CustomerUser: ($Param{User}) added $Self->{UserSuffix} to username!",
Message => "CustomerUser: $Param{User} added $Self->{UserSuffix} to username!",
);
}
}
Expand All @@ -161,8 +161,7 @@ sub Auth {
if ( $Self->{Debug} > 0 ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message => "CustomerUser: '$Param{User}' tried to authenticate with Pw: '$Param{Pw}' "
. "(REMOTE_ADDR: $RemoteAddr)",
Message => "CustomerUser: $Param{User} tried to authenticate (REMOTE_ADDR: $RemoteAddr)",
);
}

Expand Down Expand Up @@ -248,7 +247,7 @@ sub Auth {
if ( $Self->{Debug} > 0 ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message => 'check for groupdn!',
Message => 'Checking for GroupDN.',
);
}

Expand Down
6 changes: 3 additions & 3 deletions Kernel/System/CustomerAuth/Radius.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ sub Auth {
if ( $Self->{Debug} > 0 ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message => "User: '$User' tried to authenticate with Pw: '$Pw' ($RemoteAddr)",
Message => "CustomerUser: $Param{User} tried to authenticate (REMOTE_ADDR: $RemoteAddr)",
);
}

Expand Down Expand Up @@ -133,7 +133,7 @@ sub Auth {
if ( defined($AuthResult) && $AuthResult == 1 ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message => "User: $User Authentication ok (REMOTE_ADDR: $RemoteAddr).",
Message => "CustomerUser: $User Authentication ok (REMOTE_ADDR: $RemoteAddr).",
);
return $User;
}
Expand All @@ -142,7 +142,7 @@ sub Auth {
else {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message => "User: $User Authentication with wrong Pw!!! (REMOTE_ADDR: $RemoteAddr)"
Message => "CustomerUser: $User Authentication with wrong Pw!!! (REMOTE_ADDR: $RemoteAddr)"
);
return;
}
Expand Down

0 comments on commit 97965d3

Please sign in to comment.