Free Salt + Hash User Passwords

KB3LWJ · 12:03 AM

This will modify Kayako to salt and hash users' passwords.

Please make a full backup of your Kayako installation before installing this mod, including your database and your Kayako directory.

This has only been tested on SupportSuite v3.20.02.

It does the following:

Removes the cleartext passwords from the user database.
Replaces the MD5 hashes in the user database with salted hashes
- It also rotates the password by a configurable number of ASCII characters to further reduce the risk of a dictionary attack.
Modifies the "Lost password" feature to generate a new password and send it to the user.

This modification consists of five files:

client_changepassword.diff
- This patch modifies modules/core/client_changepassword.php
default.login.diff
- This patch modifies includes/LoginShare/default.login.php
functions_users.diff
- This patch modifies includes/functions_users.php
md5_salt.php
- This file should be placed in includes/
- It includes the hashing, verification, and rotation functions used to secure the passwords.
updatepwd.php
- This is a migration script. It takes the cleartext passwords in the database, updates the database with the secured hashes, and then removes the cleartext passwords from the database.
- It should be placed in the Kayako root directory and executed, then deleted.

Installation (all paths are relative to the Kayako root directory, and assume that you have the "patch" utility on your system):

Place md5_salt.php in includes/
Place the three .diff files in the Kayako root directory
From a shell in the Kayako home directory, run the following commands:

Quote:

patch -bu includes/LoginShare/default.login.php default.login.diff

Quote:

patch -bu modules/core/client_changepassword.php client_changepassword.diff

Quote:

patch -bu includes/functions_users.php functions_users.diff
Place updatepwd.php in the Kayako root directory
Go to http://[your support site here]/updatepwd.php in your web browser.
1. You must run this script, otherwise clients will be unable to access the site.
2. No output will be displayed; simply allow the script to stop running on its own.
3. In the event that the script is interrupted, it can be re-run safely.
4. The changes made by this script cannot be undone. In order to revert to the old password storage method, you will need to reset all of your users' passwords.
Delete updatepwd.php from your web server.

After installing the modification, you may want to update the "lpmaildesc" phrase in your languages setting to reflect that a new password has been generated, and that the user will need to use the included password to log in in the future. You may also want to remove the "Password" field from the "email_autoresponder" template.

License / Warranty
I release my modifications to the Kayako source files (as described in the included .diff files) into the public domain.

md5_salt.php and updatepwd.php are released under the MIT License:

Quote:

Copyright (c) 2008 Derek Kaser

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

**Jamie Edwards** · 29-06-2008, 11:30 PM

Hi and thanks once again for sharing this modification with everyone

craigbrass · 30-06-2008, 09:20 AM

Looking good! It will be a nice solution until Kayako release V4.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread:

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Graphical User Interface Improvements	vanbroup	LiveResponse Desktop Application	10	29-05-2008 03:13 PM
Users User groups hierarchy	gdigrego	Feature Requests	0	16-03-2008 02:09 PM
Templates/Themes Associating more than one User Group to a template group	Aaron	Feature Requests	0	12-03-2008 08:48 PM
User group manager and queue visibility	ISDHK	SupportSuite, eSupport and LiveResponse	0	14-11-2006 08:26 AM
[HOW TO] Get the Winapp client runing on Terminal Servers	Paul Agerbeek	LiveResponse Desktop Application	0	12-10-2006 11:34 AM

craigbrass Offline Senior Member Posts: 5,573 Join Date: Jun 2005 Location: Cumbria, UK	30-06-2008, 09:20 AM Looking good! It will be a nice solution until Kayako release V4. Craig Brass - Kayako Forum Squatter (Note: I am NOT a staff member) Icon Headquarters - Its Elixir - Web2Messenger