For this new post we will disscuss about the new securty feature that encrypt or hash password in Plesk database.I need to authenticate within some PHP scripts the Plesk user.
Let’s have a look on the Plesk database, the table that contain the password for each accounts is “accounts”. There is an entry for each password in Plesk (Client account, E-mail, Database, FTP, etc…).
Every password except the Plesk Client account is encrypted, that mean that we could uncrypt them. The Plesk Client account is hashed, so no way to get the original password but I don’t need it to authenticate the user. $5$ at the begining of the hash means that it use SHA-256. The password use a salt in order to avoid the usage of rainbow table to found the original password. The salt is present in the has between the second and third $ the result of the hash of the password plus the salt is located after the third $. So now to tests if the password given by the user correspond to the password in psa database, here is a little function that do the job.
Parameters are the plain password given by the user and the hash from the psa database. The function returns true if the password is correct, false otherwise.
|
1 2 3 4 5 6 |
function testHashedPassword($password, $hash) { $hasharr = explode('$', $hash); $res = crypt($password, '$' . $hasharr[1] . '$' . $hasharr[2] . '$'); return $res == $hash; } |
That was the easy part, let’s now talk about the encrypted password that could be decrypted. The password is encrypted with using a salt and the Plesk private key. This key is very critical for the security so warning with this !
As the key is stored in binray format i suggest to get it in BASE64 format. When logged in root, write :
|
1 |
cat /etc/psa/private/secret_key | base64 |
This command will give you the BASE64 version of the Plesk private key and this will be use full for the next functions.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
function decrypt_password($pass,$key = PLESK_KEY) { if($pass == '') return ''; $base64encoded_ciphertext = explode('$', $pass); return mcrypt_decrypt(MCRYPT_RIJNDAEL_128, base64_decode($key), base64_decode($base64encoded_ciphertext[3]), MCRYPT_MODE_CBC, base64_decode($base64encoded_ciphertext[2])); } function encrypt_password($pass,$iv,$key = PLESK_KEY) { $pass = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, base64_decode($key), $pass, MCRYPT_MODE_CBC, base64_decode($iv)); return '$AES-128-CBC$' . $iv . '$' . base64_encode($pass); } |
These functions allow to decrypt Plesk password and encrypt them. For the first function the parameters are the encrypted password and the Plesk private key. The parameters of the second function are the plain password, the salt and the Plesk private key.
That’s all for this post, fell free to contact me if you want more details.
Stéphane