User passwords stored in cleartext

[davidjb]

At present, the user's details are saved into config/kerberos.php and the password is saved in cleartext. Can the current implementation be improved so credentials are hashed?

Laravel provides the Hash class for secure Bcrypt hashing of passwords: https://laravel.com/docs/5.6/hashing and an implementation of this is at https://github.com/davidjb/kerberos-web/commit/5d92d8581f9d48113d151baeb94e2a14353a905d.

I haven't opened a PR, however, because the 'missing piece' is that the underlying user provider (https://github.com/cedricve/simpleauth/blob/master/src/Cedricve/Simpleauth/SimpleauthUserProvider.php) needs to verify the hash. SimpleAuth currently just checks for string equality, but could be configured to accept a hasher (like the DatabaseUserProvider in Laravel does) set to always use Bcrypt.

[cedricve]

hey @davidjb, indeed you're completely right. I'll update the SimpleAuth library so it can support your feature. Keep you posted! Thanks.

[espressobeanies]

@davidjb. FYI, the latest build of KiOS comes with 'mkpasswd'. Though I'm not too familiar with the KiOS internals, this alone should be able to generate secure password hashes. https://www.cyberciti.biz/faq/generating-random-password/

[davidjb]

@espressobeanies mkpasswd an external command for generating randomised passwords, rather than for hashing/salting a given string within PHP (eg the password the user enters into the web interface on setting up Kerberos). The Laravel Hash class is the way to go for this purpose.