Skip to content
Snippets Groups Projects
Commit 0b011cc8 authored by Rob Swindell's avatar Rob Swindell :speech_balloon:
Browse files

Add '-h' option to send a salted and hashed password to the server 

Like the -p option, except the server won't get a copy of the client BBS
user's password or be able to decode it.

The user's password, user number and account creation date are used to generate
the password hash (along with the salt), so changing any of these will change
the resulting hashed password sent (and presumably logged/stored) on the
server. The resulting SHA-1 hash is sent as 40 hexadecimal digits.

The default salt is the system's QWK-ID, but the sysop can specify their own
salt (e.g. random number or secret passphrase) via the "salt" key in the
[rlogin] section of modopts.ini or root section of ctrl/modopts/rlogin.ini
parent e23d4e19
Branches
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 14 additions and 0 deletions
exec/rlogin.js
+ 14
0
View file @ 0b011cc8
...@@ -8,6 +8,7 @@ ...@@ -8,6 +8,7 @@
// -T <connect-timeout-seconds> (default: 10 seconds) // -T <connect-timeout-seconds> (default: 10 seconds)
// -m <telnet-gateway-mode> (Number or TG_* vars OR'd together, default: 0) // -m <telnet-gateway-mode> (Number or TG_* vars OR'd together, default: 0)
// -p send current user alias and password as server and client-name values // -p send current user alias and password as server and client-name values
// -h send current user alias and hashed-password as server and client-name
// -q don't display banner or pause prompt (quiet) // -q don't display banner or pause prompt (quiet)
// -v increase verbosity (display remote host name/address/port in messages) // -v increase verbosity (display remote host name/address/port in messages)
// -P don't pause for user key-press // -P don't pause for user key-press
...@@ -38,6 +39,15 @@ var clear = options.clear === undefined ? true : options.clear; ...@@ -38,6 +39,15 @@ var clear = options.clear === undefined ? true : options.clear;
var timeout = options.timeout === undefined ? 10 : options.timeout; var timeout = options.timeout === undefined ? 10 : options.timeout;
var verbosity = options.verbosity === undefined ? 0 : options.verbosity; var verbosity = options.verbosity === undefined ? 0 : options.verbosity;
function hashed_user_password()
{
return sha1_calc(user.security.password
+ user.number
+ user.stats.firston_date
+ (options.salt || system.qwk_id)
, /* hex: */true);
}
for(var i = 0; i < argv.length; i++) { for(var i = 0; i < argv.length; i++) {
var arg = argv[i]; var arg = argv[i];
if(arg[0] != '-') { if(arg[0] != '-') {
...@@ -70,6 +80,10 @@ for(var i = 0; i < argv.length; i++) { ...@@ -70,6 +80,10 @@ for(var i = 0; i < argv.length; i++) {
case 'v': case 'v':
++verbosity; ++verbosity;
continue; continue;
case 'h': // send alias and hashed-password
client_name = hashed_user_password();
server_name = user.alias;
continue;
case 'p': // send alias and password as expected by Synchronet case 'p': // send alias and password as expected by Synchronet
client_name = user.security.password; client_name = user.security.password;
server_name = user.alias; server_name = user.alias;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment