/usr/sbin/gosa-encrypt-passwords is in gosa 2.7.4+reloaded2-13+deb9u1.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 | #!/usr/bin/php
<?php
function cred_encrypt($input, $password) {
$size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
$iv = mcrypt_create_iv($size, MCRYPT_DEV_RANDOM);
return bin2hex(mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $password, $input, MCRYPT_MODE_ECB, $iv));
}
function get_random_char() {
$randno = rand (0, 63);
if ($randno < 12) {
return (chr ($randno + 46)); // Digits, '/' and '.'
} else if ($randno < 38) {
return (chr ($randno + 53)); // Uppercase
} else {
return (chr ($randno + 59)); // Lowercase
}
}
function get_random_string($size= 32){
$str= "";
for ($i = 0; $i < $size; $i++) {
$str .= get_random_char();
}
return $str;
}
# We need to have access to gosa.secrets
if (posix_getuid() != 0){
die ("This program needs to be called by root!\n");
}
# Do we have a valid gosa.conf?
if (!file_exists("/etc/gosa/gosa.conf")){
die ("Cannot find a valid /etc/gosa/gosa.conf!\n");
}
echo "Starting password encryption\n";
echo "* generating random master key\n";
$master_key= get_random_string();
# Do we have a valid gosa.secrets, already?
if (file_exists("/etc/gosa/gosa.secrets")){
die ("There's already a /etc/gosa/gosa.secrets. Cannot convert your existing gosa.conf - aborted\n");
} else {
echo "* creating /etc/gosa/gosa.secrets\n";
$fp = fopen("/etc/gosa/gosa.secrets", 'w') or die("Cannot open /etc/gosa/gosa.secrets for writing - aborted");
fwrite($fp, "RequestHeader set GOSAKEY $master_key\n");
fclose($fp);
chmod ("/etc/gosa/gosa.secrets", 0600);
chown ("/etc/gosa/gosa.secrets", "root");
chgrp ("/etc/gosa/gosa.secrets", "root");
}
# Locate all passwords inside the gosa.conf
echo "* loading /etc/gosa/gosa.conf\n";
$conf = new DOMDocument();
$conf->load("/etc/gosa/gosa.conf") or die ("Cannot read /etc/gosa/gosa.conf - aborted\n");
$conf->encoding = 'UTF-8';
$referrals= $conf->getElementsByTagName("referral");
foreach($referrals as $referral){
$user = $referral->attributes->getNamedItem("adminDn");
echo "* encrypting GOsa password for: ".$user->nodeValue."\n";
$pw= $referral->attributes->getNamedItem("adminPassword");
$pw->nodeValue= cred_encrypt($pw->nodeValue, $master_key);
}
# Encrypt the snapshot passwords
$locations= $conf->getElementsByTagName("location");
foreach($locations as $location){
$name = $location->attributes->getNamedItem("name");
$node = $location->attributes->getNamedItem("snapshotAdminPassword");
if($node->nodeValue){
echo "* encrypting snapshot pasword for location: ".$name->nodeValue."\n";
$node->nodeValue = cred_encrypt($node->nodeValue, $master_key);;
}
}
# Move original gosa.conf out of the way and make it unreadable for the web user
echo "* creating backup in /etc/gosa/gosa.conf.orig\n";
rename("/etc/gosa/gosa.conf", "/etc/gosa/gosa.conf.orig");
chmod("/etc/gosa/gosa.conf.orig", 0600);
chown ("/etc/gosa/gosa.conf.orig", "root");
chgrp ("/etc/gosa/gosa.conf.orig", "root");
# Save new passwords
echo "* saving modified /etc/gosa/gosa.conf\n";
$conf->save("/etc/gosa/gosa.conf") or die("Cannot write modified /etc/gosa/gosa.conf - aborted\n");
chmod("/etc/gosa/gosa.conf", 0640);
chown ("/etc/gosa/gosa.conf", "root");
chgrp ("/etc/gosa/gosa.conf", "www-data");
echo "OK\n\n";
# Print reminder
echo<<<EOF
Please adapt your http gosa location declaration to include the newly
created "/etc/gosa/gosa.secrets".
Example:
Alias /gosa /usr/share/gosa/html
<Location /gosa>
php_admin_flag engine on
php_admin_value open_basedir "/etc/gosa/:/usr/share/gosa/:/var/cache/gosa/:/var/spool/gosa/"
php_admin_flag register_globals off
php_admin_flag allow_call_time_pass_reference off
php_admin_flag expose_php off
php_admin_flag zend.ze1_compatibility_mode off
include /etc/gosa/gosa.secrets
</Location>
Please reload your httpd configuration after you've modified anything.
EOF;
?>
|