OpenUru.org

I've been considering integrating directly into the PHP script, but I'm not sure of all the operations being performed on the password, so I can't accurately hash it with PHP's sha function (if there is such a thing; I know there is sha1). From what I can tell by looking at the source code:
1. "size" is calculated by multiplying by 2 the sum of both the e-mail and password strings.
2. "input" is assigned a block of memory the size of, well, "size".
3. cp is assigned the value of input.
3. "cp" recieves, character by character, the password (except for the newline (?) at the end), with a null character between each letter.
4. Where the newline was, two null characters are placed instead.
5. "cp" is then assigned the lower-case e-mail with null characters in between each letter and two more at the end.
6. SHA generated with input (?).
And I think that's it. I don't get it: what's the purpose of cp if input is used at the end? There is no reassignment of cp's value to input, if I'm correct. I'm aware they are pointers, so maybe I'm confused on that part, but if both point to the same address, why even have two values at all?

P.S. : Still learning C++. Started OOP; woop!

That makes sense. However, there were a good many of us writing our own servers who noted that providing regular usernames would result in a simple SHA-1 hash being sent. It makes things a lot easier, and avoids the interesting effects of the email-based hashes .

Anyway, my poorly described point is that it's a lot easier to sha1 then pq_query in PHP as opposed to running an arbitrary system command.

Does anybody know where the code is in CWE where it encrypts passwords? Maybe it could be changed to a simple SHA1 (or SHA2 or whatever) encryption, and this would greatly simplify creation of passwords on the server side while relying on an encryption built for governments and security.

You don't need to change anything in CWE. It already uses SHA1 for usernames that are not email addresses.

I haven't been able to figure out how to make MOSS accept a username instead of an e-mail address yet, so I don't know how it works on the server side though.

To compile compute_auth_hash, type "make compute_auth_hash".

It is documented, several times over, that MOSS works fine with the non-email-address usernames. It always has. I use them myself. All you have to do is put the SHA-1 hash of the password in the DB instead of the compute_auth_hash thing. This is documented in the files in the source tree itself and there is a pointer on the wiki.

I wrote a lot of documentation. It would be nice if people read it, but ignorance is the best way to generate fud, I guess.

I have compiled compute_auth_hash that way. What I was asking is if it can be set to install along with MOSS, but I suppose I can just do a manual cp to carry over the compiled code.

I have already read the sections explaining that MOSS works with non-email address usernames, but so far I've had no luck. I'll try again, since I might have used the wrong encryption, or my MOSS server was incorrectly configured.

I read all your documentation, from MOSS/Notes to MOSS/Setup to the doc/setup file to the doc/user-management with everything in between. I think I've understood it all, so I'm asking these many questions because I have spent a lot of time trying to figure out everything on my own (if you look at my Installing MOSS thread, I've already managed to figure out a few things on my own).

Mac_Fife wrote:I don't use pg_escape_string either, but I do a lot of checking/cleansing on both the password and email supplied long before I get to the point of putting them through copute_auth_hash (for instance, I check that the email address conforms to the RFCs and I check that there's a valid MX record for the domain - no point sending emails out if they're just going to bounce back).

I think I've found a pretty good checker here, and so far so good, so I'm going to use it for Lyros Shard: http://www.linuxjournal.com/article/9585?page=0,3

Are you still maintaining this? I tried it too setup MOSS after completing some of the steps manually but Files.zip can not be found on your server. Thanks

No, I'm not maintaining it anymore; and I think the Files.zip would not work now anyway, since the files have changed. You have to generate the manifests yourself.