From a54caff6cb0e403b156b0a24a674988503cb981c Mon Sep 17 00:00:00 2001
From: "Rob Swindell (on Debian Linux)" <rob@synchro.net>
Date: Thu, 10 Apr 2025 15:11:08 -0700
Subject: [PATCH] Allow optional pepper to be specified with '-h' (hashed
password) option
e.g. '-hSEVERNAME'
This allows server-unique hashing so that if one BBS auto-registers
/authenticates its users with *multiple* Rlogin servers, the credentials
stored on of the rlogin servers may not be used to authenticate on the others.
---
exec/rlogin.js | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/exec/rlogin.js b/exec/rlogin.js
index 65d8edc844..20c677d7d1 100644
--- a/exec/rlogin.js
+++ b/exec/rlogin.js
@@ -8,7 +8,7 @@
// -T <connect-timeout-seconds> (default: 10 seconds)
// -m <telnet-gateway-mode> (Number or TG_* vars OR'd together, default: 0)
// -p send current user alias and password as server and client-name values
-// -h send current user alias and hashed-password as server and client-name
+// -h[pepper] send current user alias and hashed-password as server and client-name
// -q don't display banner or pause prompt (quiet)
// -v increase verbosity (display remote host name/address/port in messages)
// -P don't pause for user key-press
@@ -39,12 +39,13 @@ var clear = options.clear === undefined ? true : options.clear;
var timeout = options.timeout === undefined ? 10 : options.timeout;
var verbosity = options.verbosity === undefined ? 0 : options.verbosity;
-function hashed_user_password()
+function hashed_user_password(pepper)
{
return sha1_calc(user.security.password
+ user.number
+ user.stats.firston_date
+ (options.salt || system.qwk_id)
+ + pepper
, /* hex: */true);
}
@@ -81,7 +82,7 @@ for(var i = 0; i < argv.length; i++) {
++verbosity;
continue;
case 'h': // send alias and hashed-password
- client_name = hashed_user_password();
+ client_name = hashed_user_password(arg.substring(2));
server_name = user.alias;
continue;
case 'p': // send alias and password as expected by Synchronet
--
GitLab