cedricve
commented
6 years ago hey @davidjb, indeed you're completely right. I'll update the SimpleAuth library so it can support your feature. Keep you posted! Thanks.
Open davidjb opened 6 years ago
cedricve
commented
6 years ago hey @davidjb, indeed you're completely right. I'll update the SimpleAuth library so it can support your feature. Keep you posted! Thanks.
espressobeanies
commented
6 years ago @davidjb. FYI, the latest build of KiOS comes with 'mkpasswd'. Though I'm not too familiar with the KiOS internals, this alone should be able to generate secure password hashes. https://www.cyberciti.biz/faq/generating-random-password/
davidjb
commented
6 years ago @espressobeanies mkpasswd an external command for generating randomised passwords, rather than for hashing/salting a given string within PHP (eg the password the user enters into the web interface on setting up Kerberos). The Laravel Hash class is the way to go for this purpose.
At present, the user's details are saved into
config/kerberos.phpand the password is saved in cleartext. Can the current implementation be improved so credentials are hashed?Laravel provides the
Hashclass for secure Bcrypt hashing of passwords: https://laravel.com/docs/5.6/hashing and an implementation of this is at https://github.com/davidjb/kerberos-web/commit/5d92d8581f9d48113d151baeb94e2a14353a905d.I haven't opened a PR, however, because the 'missing piece' is that the underlying user provider (https://github.com/cedricve/simpleauth/blob/master/src/Cedricve/Simpleauth/SimpleauthUserProvider.php) needs to verify the hash. SimpleAuth currently just checks for string equality, but could be configured to accept a hasher (like the DatabaseUserProvider in Laravel does) set to always use Bcrypt.