ltb-project / self-service-password Goto Github PK

The param $who_change_password should not be passed to the function in this page.

From http://tools.ltb-project.org/issues/397 and http://tools.ltb-project.org/issues/873

From http://tools.ltb-project.org/issues/797

Goal is to use bootstrap CSS framework : http://getbootstrap.com/

From:

• http://tools.ltb-project.org/issues/832
• http://tools.ltb-project.org/issues/816
• http://tools.ltb-project.org/issues/799

Dear Team,

I'm having an issue with SSP. I have deployed the SSP on a corporate directory with a lot of people and we love it until we discovered that our users can change their password to basically anything. We have a password history settings which does not seem to be taken into account.

I did some research and it look like in the configuration file there is an interesting parameter :

$who_change_password = "manager";

That can be changed into "user".

Indeed, if the manager (Administrator) is changing the password this is actually not a "change" but a "set" performed by the LDAP Admin, then no history taken into account (even if complexity is still applied).

Then, I decided to change the parameter to "user" which then should become a "change" and no more a "set".

I did it on our test platform but unfortunately, the screen remain blank and nothing appears on it (expected the top banner).

Questions :

• Is there a way to have SSP a little bit more "chatty" and have some debug logs ?
• Is the user being setup in the configuration the right way to address my issue ?

Thanks for this very nice product !

Fred.

Suggested by Ludwin Janvier:

The apache configuration did not work out of the box neither. Your documentroot is in /usr and default centos 7 apache configuration does not permit documentroot outside /var/www.
I'd suggest you add this "directory" directive:

<Directory "/usr/share/self-service-password">
    AllowOverride None
    # Allow open access:
    Require all granted
</Directory>

This lines are valid for apache 2.4 and above (centos/redhat 7) and may not work with apache 2.2 (6). If you want the same file, maybe you could just create a symlink.

(you could drop the NameVirtualHost line because it has no effect on apache = 2.4, and "will be removed in the next release")

Hi,
In our ldap we want to use SHA512 for security reasons.
I thus modified the source code to add it.
In lib/functions.inc.php

# Create SHA512 password
function make_sha512_password($password) {
    $hash = "{SHA512}" . base64_encode(pack("H*", hash('sha512', $password)));
    return $hash;
}
.
.

if ( $hash == "SHA512" ) {
            $password = make_sha512_password($password);
        }

I would suggest you to implement such a mecanism in future versions.
F.

Bonjour,

Nous souhaitons faire évoluer la durée de token de reset de mail de 2 h (par defaut) à 24h.

nous avons modifié dans le fichier config.inc.php

# Token lifetime in seconds
$token_lifetime = "7200";

à

# Token lifetime in seconds
$token_lifetime = "86400";

Mais cela ne fonctionne pas, cela semble resté à 2h.

avez vous une idée du problème ?

Cdt
Frederic Goubelle

Hi,
I have attached a Swedish translation.
Keep up the good work
//Donald
sv.inc.php.txt

This is not possible to install package on a recent Debian server:

# dpkg -i self-service-password_0.9-1_all.deb 
Selecting previously unselected package self-service-password.
(Reading database ... 90814 files and directories currently installed.)
Preparing to unpack self-service-password_0.9-1_all.deb ...
Unpacking self-service-password (0.9-1) ...
dpkg: dependency problems prevent configuration of self-service-password:
 self-service-password depends on php5; however:
  Package php5 is not installed.
 self-service-password depends on php5-ldap; however:
  Package php5-ldap is not installed.

dpkg: error processing package self-service-password (--install):
 dependency problems - leaving unconfigured
Errors were encountered while processing:
 self-service-password

E-mail address are verified case sensitive, because e-mail is never case sensitive this information should be checked without checking it's case.

Solution could be in sendtoken.php line 116 :

Old:

    # Match with user submitted values
    foreach ($mailValues as $mailValue) {
        if ("$mail" === "$mailValue") {
            $match = 1;
        }
    }

New:

    # Match with user submitted values
    foreach ($mailValues as $mailValue) {
        if (strcasecmp($mail, $mailValue) == 0) {
            $match = 1;
        }
    }

This is now required by Debian

From http://tools.lsc-project.org/issues/836

crypt 6 allows for longer salts, and I think a 2 character salt isn't too good

Currently, some passwords are generated with mt_rand, which is bad idea. This method is also used to generate sms tokens, making them predictable.

As explained in the php documentation:

This function does not generate cryptographically secure values, and should not be used for cryptographic purposes. If you need a cryptographically secure value, consider using random_int(), random_bytes(), or openssl_random_pseudo_bytes() instead.

I attach the greek (UTF-8) translation of the ssp messages. Keep up the good work!
el.inc.php.txt

Nikos

Hi,
I'm trying to use this to change my AD user password,
But keep bumping to
(i) Cannot access LDAP directory
Can someone point me out where is my mistakes ?

Thanks a bunch

here is my config.inc.php

#==============================================================================
# Configuration
#==============================================================================
# LDAP
$ldap_url = "ldap://10.20.2.1:389";
$ldap_starttls = false;
$ldap_binddn = "cn=manager,dc=example,dc=com";
$ldap_bindpw = "secret";
$ldap_base = "dc=mydomain,dc=com";
$ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";

# Active Directory mode
# true: use unicodePwd as password field
# false: LDAPv3 standard behavior
$ad_mode = true;
# Force account unlock when password is changed
$ad_options['force_unlock'] = false;
# Force user change password at next login
$ad_options['force_pwd_change'] = false;
# Allow user with expired password to change password
$ad_options['change_expired_password'] = false;

As the logo image, this will be an option.

Hello all,
It is not a issue but a feature which I miss in the project.
In fact, I would like to check if the user use a password in History defined by pwdHistory in LDAP server. (about last 6 passwords for example)
I implement only for my need this patch with SSHA. Perhaps it could be an idea if you think the feature is useful for others persons, you can do a global patch for others encryptions.

Based on Self Service password 1.0 .
pwdHistory.txt

We should use a more recent version of reCAPTCHA

From:

• http://tools.ltb-project.org/issues/796
• http://tools.ltb-project.org/issues/877
• http://tools.ltb-project.org/issues/858

From http://tools.ltb-project.org/issues/802

In 2012 (reference, a user by the name of Henning suggested a patch that would allow the admin to require sending a reset-link via email in order to actually change the password. I believe the premise was to protect against brute-force attacks and uncertainty about getting "fail2ban" working.

Did that patch ever materialize? Is there a chance the feature can be instituted?

I admit it defeats some of the immediate usability (and perhaps intent) of the application. I'm willing to disable that functionality to provide a little peace-of-mind.

Would you be interested in having a Dockerfile?

Would you be interested in having an official docker image?

Check it: https://github.com/moss-it/docker-selfservicepassword

Hi

I have the self-service-password tool as a docker image which is automatically proxied thru a let's encrypt HTTPS proxy docker, which means that the tool itself is reached via a HTTP url. Still the users accesses it via HTTPS. The URL that is generated in the mail for a password reset, is still using HTTP (because the tool itself sees only the HTTP access). Would it be possible to add a config option to enforce HTTPS urls? or even provide the "base URL"?

Thanks for this great tool!

KoS

From http://tools.ltb-project.org/issues/800

I had initially suggested this in http://tools.ltb-project.org/issues/818. For reference:

Provide 2FA (TFA) as an option for verification of the user. There are some 2FA PHP modules (https://github.com/RobThree/TwoFactorAuth, https://github.com/PHPGangsta/GoogleAuthenticator) that provide sufficient access to implement it.

(It appears that the second link hasn't been touched in a couple of years, perhaps RobThree's would be preferred?)

I recognize it is not necessarily a top priority for all (or perhaps many, even), so I was considering how hard it would be to implement. Some questions I had:

• How to store the shared secret?
  • Can it be stored within an unmodified LDAP structure? Requiring a change to the schema will many (if not most).
  • Ditto for Active Directory? (I believe AD is for the most part LDAP-compatible, but this question begs MS's AD or Samba4's AD.)
  • If neither of the above, I'm not fond of having yet another storage mechanism, whether it be on a SQL server somewhere or in a local-only SQLite database.
• If it can be stored within LDAP, is it a mechanism that other applications might be able to use? For instance, apps like owncloud, nextcloud, and gitlab have various levels of 2FA support, but I believe they are storing it internally/proprietarily. I think it would be good to be able to use the same shared-secret across multiple clients. (Then, of course, I'd need to convince those apps to get the shared-secret and use it ...)
• Again, if it can be stored within the LDAP structure, is it "safe enough" to store it there? Are there security considerations I'm not considering?

The current method of using SMS as a reset mechanism is useful but this sort of 2FA is no longer recommended. I'm inferring that this should also apply to email-based OOB reset links, for similar reasons.

Thoughts?

Hello.
There is a vulnerability in PHPMailer < 5.2.18.
But I don't know which file need to be updated.
Thank you.

On the reset password screen (via email), there is a way to modify the user name before entering the new password. This is giving the user impression he can change password for anyone.

Which actually is not true, the code logic is fine. This is only a matter of lay-out, the username field mu reman readonly and changing this input field must be forbidden.

Thanks ;)

When using reset by SMS feature, the token sent by SMS is used to create a PHP session. This PHP session is automatically deleted, but the SMS token can be reused to create a new PHP session. This token should be valid only the duration configured in $token_lifetime.

From http://tools.ltb-project.org/issues/842

When using SMS token feature, the hidden fields can be changed with the browser inspector, allowing to change the password of another user.

This can be an option. The menu will display links to each enabled actions.

From http://tools.ltb-project.org/issues/856

Hi,

After setting up SSP and attempting to change a password, I got a page with the menu, icon, and no messages. The error_log file had the following messages:

[Thu Jan 05 14:38:06.521936 2017] [:error] [pid 8695] [client (me):1257] PHP Notice: Use of undefined constant LDAP_MODIFY_BATCH_REMOVE - assumed 'LDAP_MODIFY_BATCH_REMOVE' in /usr/share/self-service-password/lib/functions.inc.php on line 333, referer: http://ssp.companyname.com/index.php
[Thu Jan 05 14:38:06.522011 2017] [:error] [pid 8695] [client (me):1257] PHP Notice: Use of undefined constant LDAP_MODIFY_BATCH_ADD - assumed 'LDAP_MODIFY_BATCH_ADD' in /usr/share/self-service-password/lib/functions.inc.php on line 338, referer: http://ssp.companyname.com/index.php
[Thu Jan 05 14:38:06.522031 2017] [:error] [pid 8695] [client (me):1257] PHP Fatal error: Call to undefined function ldap_modify_batch() in /usr/share/self-service-password/lib/functions.inc.php on line 343, referer: http://ssp.companyname.com/index.php

CentOS 7's latest version of PHP is 5.4.16. ldap_modify_batch() was introduced in PHP 5.4.26 (in the 5.4 branch). After upgrading my PHP version, it ran successfully.

The dependency checker should look for this function as it's a critical dependency. And hopefully it'll help others who use the PHP version that comes standard in CentOS 7.

Thanks!

From http://tools.lsc-project.org/issues/831

The default PHP mail() is fine when authentication is not required, but this does not work in situations where the client must authenticate before sending. I know there are less-standard methods in PHP to allow authenticating-SMTP, how difficult is it to incorporate one of those methods into your package?

Thanks!

Hi,
in ubuntu server 16.04 with php7 I get this error while changing the password (the error is in the logs, nothing is shown on the UI):

PHP Fatal error: Uncaught Error: Call to undefined function utf8_decode() in [...]/lib/functions.inc.php:178\nStack trace:\n#0 [...]/pages/change.php(176): check_password_strength('...', '...', Array)\n#1 [...]/index.php(173): include('[...]')\n#2 {main}\n thrown in [...]/lib/functions.inc.php on line 178, referer: [...]/index.php

I solved installing php-xml.
Maybe add a check for function_exists('utf8_decode')?

According to Stack Overflow an alternative should also be using mb_convert_encoding from mbstring, but I haven't tried that.

Need to add 'fa-fw' class to fa icons

Rather than sending SMS via email it would be great to have the functionality to execute an external script and pass the mobile number and token as arguments. Most SMS providers do not support SMS via email either for reasons of security or lack of demand (see NEXMO for instance).

Hello,

I'm a port maintainer of SSP at FreeBSD Ports project. I'm trying to update port source so a new 1.0 version could be installed on FreeBSD.

Unfortunatelly you've made a v1.0 release no just 1.0 (as previous 0.9). So ports framework which uses codeload.github.com is not able to download self-service-password-1.0 automatically.

Could you change it?

Thanks a lot for your time.

Greetings,

Encryption and decryption is implemented without any kind of authentication, allowing attackers to perform a large panel of attacks to compromise the confidentiality of the material.

Please either use authenticated modes, or some kind of integrity measure

See http://tools.ltb-project.org/issues/844

From http://tools.ltb-project.org/issues/834

Hello!

In "self-service-password/conf/config.inc.php"

I would like to store the ldap_bindpw in a hashed format instead of clear text, is that possible?

Hi,

the ssp is not working on my nginx.

i got this kind of error when i use the link reset via mail :

[error] 12#12: *5 FastCGI sent in stderr: "PHP message: PHP Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /var/www/html/index.php:155) in /var/www/html/pages/sendtoken.php on line 147

due to this error, the session file ( like tmp/sess_e06b0cf4dd2e8c95428d09a2bd061211 ) are empty, so the email reset link is not working with this error : " invalid token" (due to session token file empty, due to previous error)

a ugly workarround is to to this line as first line on the /var/www/html/index.php :

It would be great to be able to specify a list of illegal passwords in the config file, or even illegal words in password.

See http://tools.ltb-project.org/issues/547

1. In the top directory, file index.php, line 65, change from:
   $dependency_check_results = [];
   to
   $dependency_check_results = array();

2. In the /pages subdirectory, files:
   change.php line 68, resetbyquestions.php line 69, resetbytoken.php line 106, sendsms.php line 119, sendtoken.php line 56, setquestions.php line 63, change from:
   $recaptcha = new \ReCaptcha\ReCaptcha($recaptcha_privatekey);
   to
   $recaptcha = new \ReCaptcha($recaptcha_privatekey);

From http://tools.ltb-project.org/issues/400

Is it possible to give a name to the sender email?

That way, users would see "Account Password" instead of [email protected].

Thanks!