From 0b011cc83ef109cfadb6b53692eefa28aa8039a1 Mon Sep 17 00:00:00 2001
From: "Rob Swindell (on Debian Linux)" <rob@synchro.net>
Date: Thu, 10 Apr 2025 14:35:40 -0700
Subject: [PATCH] Add '-h' option to send a salted and hashed password to the
 server

Like the -p option, except the server won't get a copy of the client BBS
user's password or be able to decode it.

The user's password, user number and account creation date are used to generate
the password hash (along with the salt), so changing any of these will change
the resulting hashed password sent (and presumably logged/stored) on the
server. The resulting SHA-1 hash is sent as 40 hexadecimal digits.

The default salt is the system's QWK-ID, but the sysop can specify their own
salt (e.g. random number or secret passphrase) via the "salt" key in the
[rlogin] section of modopts.ini or root section of ctrl/modopts/rlogin.ini
---
 exec/rlogin.js | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/exec/rlogin.js b/exec/rlogin.js
index 0fb3f7828f..65d8edc844 100644
--- a/exec/rlogin.js
+++ b/exec/rlogin.js
@@ -8,6 +8,7 @@
 //   -T <connect-timeout-seconds> (default: 10 seconds)
 //   -m <telnet-gateway-mode> (Number or TG_* vars OR'd together, default: 0)
 //   -p send current user alias and password as server and client-name values
+//   -h send current user alias and hashed-password as server and client-name
 //   -q don't display banner or pause prompt (quiet)
 //   -v increase verbosity (display remote host name/address/port in messages)
 //   -P don't pause for user key-press
@@ -38,6 +39,15 @@ var clear = options.clear === undefined ? true : options.clear;
 var timeout = options.timeout === undefined ? 10 : options.timeout;
 var verbosity = options.verbosity === undefined ? 0 : options.verbosity;
 
+function hashed_user_password()
+{
+	return sha1_calc(user.security.password
+		+ user.number
+		+ user.stats.firston_date
+		+ (options.salt || system.qwk_id)
+		, /* hex: */true);
+}
+
 for(var i = 0; i < argv.length; i++) {
 	var arg = argv[i];
 	if(arg[0] != '-') {
@@ -70,6 +80,10 @@ for(var i = 0; i < argv.length; i++) {
 		case 'v':
 			++verbosity;
 			continue;
+		case 'h': // send alias and hashed-password
+			client_name = hashed_user_password();
+			server_name = user.alias;
+			continue;
 		case 'p': // send alias and password as expected by Synchronet
 			client_name = user.security.password;
 			server_name = user.alias;
-- 
GitLab