Allow the use of yescrypt (hestiacp#2499)

jaapmarcus · web-flow · commit 59b7a81cf0d2 · 2022-04-08T09:48:51.000+02:00
* Allow yescrypt to be used

* Add support for Yescrypt  for user login

* Fix comment 

Add option to return hash if needed for next script

* Remove downgrade from yesscrypt to sha512

* Fix php error
diff --git a/bin/v-check-user-hash b/bin/v-check-user-hash
@@ -62,7 +62,9 @@ if echo "$shadow" | grep -qE '^\$[0-9a-z]+\$[^\$]+\$'
 then
     salt=$(echo "$shadow" |cut -f 3 -d \$)
     method=$(echo "$shadow" |cut -f 2 -d \$)
-    if [ "$method" -eq '1' ]; then
+    if [ "$method" = "y" ]; then 
+        method="yescrypt"
+    elif [ "$method" -eq '1' ]; then
         method='md5'
     elif [ "$method" -eq '6' ]; then
         method='sha-512'
diff --git a/bin/v-check-user-password b/bin/v-check-user-password
@@ -1,6 +1,6 @@
 #!/bin/bash
 # info: check user password
-# options: USER PASSWORD [IP]
+# options: USER PASSWORD [IP] [RETURN_HASH]
 #
 # example: v-check-user-password admin qwerty1234
 #
@@ -14,6 +14,7 @@
 user=$1
 password=$2; HIDE=2
 ip=${3-127.0.0.1}
+return_hash=$4
 
 # Includes
 # shellcheck source=/etc/hestiacp/hestia.conf
@@ -31,11 +32,11 @@ date=$(echo "$time_n_date" |cut -f 2 -d \ )
 #                    Verifications                         #
 #----------------------------------------------------------#
 
-check_args '2' "$#" 'USER PASSWORD'
+check_args '2' "$#" 'USER PASSWORD RETURN_HASH'
 is_format_valid 'user'
 
 # Checking user
-if [ ! -d "$HESTIA/data/users/$user" ] && [ "$user" != 'root' ]; then
+if [ ! -d "$HESTIA/data/users/$user" ]; then
     echo "Error: password missmatch"
     echo "$date $time $user $ip failed to login" >> $HESTIA/log/auth.log
     exit 9
@@ -63,8 +64,7 @@ then
     salt=$(echo "$shadow" |cut -f 3 -d \$)
     method=$(echo "$shadow" |cut -f 2 -d \$)
     if [ "$method" = "y" ]; then
-        echo "Unsuported hash method";
-        exit 1;   
+        method="yescrypt" 
     elif [ "$method" -eq '1' ]; then
         method='md5'
     elif [ "$method" -eq '6' ]; then
@@ -85,13 +85,22 @@ if [ -z "$salt" ]; then
     exit 9
 fi
 
-# Generating hash
-set -o noglob
-hash=$($BIN/v-generate-password-hash "$method" "$salt" <<< "$password")
-if [[ -z "$hash" ]]; then
-    echo "Error: password missmatch"
-    echo "$date $time $user $ip failed to login" >> $HESTIA/log/auth.log
-    exit 9
+if [ "$method" = "yescrypt" ]; then
+    hash=$(mkpasswd "$password" "$shadow")
+    if [ $? -ne 0 ]; then 
+        echo "Error: password missmatch"
+        echo "$date $time $user $ip failed to login" >> $HESTIA/log/auth.log
+        exit 9
+    fi
+else
+    # Generating hash
+    set -o noglob
+    hash=$($BIN/v-generate-password-hash "$method" "$salt" <<< "$password")
+    if [[ -z "$hash" ]]; then
+        echo "Error: password missmatch"
+        echo "$date $time $user $ip failed to login" >> $HESTIA/log/auth.log
+        exit 9
+    fi
 fi
 
 # Checking hash
@@ -106,6 +115,9 @@ fi
 #                       Hestia                             #
 #----------------------------------------------------------#
 
+if [ -n "$return_hash" ]; then 
+    echo $hash;
+fi
 # Logging
 echo "$date $time $user $ip successfully logged in" >> $HESTIA/log/auth.log
 
diff --git a/bin/v-get-user-salt b/bin/v-get-user-salt
@@ -84,7 +84,10 @@ if echo "$shadow" | grep -qE '^\$[0-9a-z]+\$[^\$]+\$'
 then
     salt=$(echo "$shadow" |cut -f 3 -d \$)
     method=$(echo "$shadow" |cut -f 2 -d \$)
-    if [ "$method" -eq '1' ]; then
+    if [ "$method" = "y" ]; then 
+        method='yescrypt'
+        salt=$(echo "$shadow" |cut -f 4 -d \$)
+    elif [ "$method" -eq '1' ]; then
         method='md5'
     elif [ "$method" -eq '6' ]; then
         method='sha-512'
diff --git a/install/hst-install-debian.sh b/install/hst-install-debian.sh
@@ -1300,12 +1300,6 @@ echo "[ * ] Enable SFTP jail..."
 $HESTIA/bin/v-add-sys-sftp-jail > /dev/null 2>&1
 check_result $? "can't enable sftp jail"
 
-# Switch to sha512 for deb11.
-if [ "$release" -eq 11 ]; then
-    # Switching to sha512
-    sed -i "s/ yescrypt/ sha512/g" /etc/pam.d/common-password
-fi
-
 # Adding Hestia admin account
 $HESTIA/bin/v-add-user admin $vpass $email "system" "System Administrator"
 check_result $? "can't create admin user"
diff --git a/web/login/index.php b/web/login/index.php
@@ -107,6 +107,7 @@ function authenticate_user($user, $password, $twofa = '')
         $output = '';
         exec(HESTIA_CMD . 'v-get-user-salt ' . $v_user . ' ' . $v_ip . ' json', $output, $return_var);
         $pam = json_decode(implode('', $output), true);
+        unset($output);
         if ($return_var > 0) {
             sleep(2);
             if ($return_var == 5) {
@@ -128,6 +129,15 @@ function authenticate_user($user, $password, $twofa = '')
                 $hash = crypt($password, '$6$rounds=5000$' . $salt . '$');
                 $hash = str_replace('$rounds=5000', '', $hash);
             }
+            if ($method == 'yescrypt') {
+                $v_password = tempnam("/tmp", "vst");
+                $fp = fopen($v_password, "w");
+                fwrite($fp, $_POST['password']."\n");
+                fclose($fp);
+                exec(HESTIA_CMD . 'v-check-user-password '. $v_user.' '. $v_password. ' '.$v_ip.' yes', $output, $return_var);
+                $hash = $output[0];
+                unset($output);
+            }
             if ($method == 'des') {
                 $hash = crypt($password, $salt);
             }
