Open davidjb opened 6 years ago
hey @davidjb, indeed you're completely right. I'll update the SimpleAuth library so it can support your feature. Keep you posted! Thanks.
@davidjb. FYI, the latest build of KiOS comes with 'mkpasswd'. Though I'm not too familiar with the KiOS internals, this alone should be able to generate secure password hashes. https://www.cyberciti.biz/faq/generating-random-password/
@espressobeanies mkpasswd
an external command for generating randomised passwords, rather than for hashing/salting a given string within PHP (eg the password the user enters into the web interface on setting up Kerberos). The Laravel Hash class is the way to go for this purpose.
At present, the user's details are saved into
config/kerberos.php
and the password is saved in cleartext. Can the current implementation be improved so credentials are hashed?Laravel provides the
Hash
class for secure Bcrypt hashing of passwords: https://laravel.com/docs/5.6/hashing and an implementation of this is at https://github.com/davidjb/kerberos-web/commit/5d92d8581f9d48113d151baeb94e2a14353a905d.I haven't opened a PR, however, because the 'missing piece' is that the underlying user provider (https://github.com/cedricve/simpleauth/blob/master/src/Cedricve/Simpleauth/SimpleauthUserProvider.php) needs to verify the hash. SimpleAuth currently just checks for string equality, but could be configured to accept a hasher (like the DatabaseUserProvider in Laravel does) set to always use Bcrypt.