Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-67774

Specify password peppers in config.php

    XMLWordPrintable

Details

    • MOODLE_403_STABLE
    • MOODLE_403_STABLE
    • master_MDL-67774
    • Hide

      It is recommended to read through the test instructions before completing them. This will lessen the risk of you locking yourself out of your Moodle instance.

      1) Existing user test:

      • Prior to applying this patch have a Moodle instance that has some users who are able to log in using a user name and password via the Moodle login page
      • Apply the patch from this issue to the Moodle instance, do not set any peppers.
      • Confirm that the users can still log in after the patch is applied.

      2) Password change test.

      • Change the password of an existing user has been able to log in.
      • Confirm that the user is able to log in using their user name and new password via the Moodle login page

      3) User upload test.

      • Login as an admin
      • Navigate to: Site administration > Users > Upload users
      • Upload the mdl-67774.csv file attached to this issue
      • Change the "New user password" option to "Field required in file.
      • Click the "Upload users" button
      • Confirm there are no errors with the upload
      • Click the "continue" button
      • Log out as admin
      • Confirm that the user created from the csv can log in with the password from the csv

      4) New user test.

      • Login as an admin
      • Create a new user from the UI
      • Log out as admin
      • Confirm that the user created can log in with their password

      5) Mobile app SSO login.

      • Get or create an existing user that can log in with a username and password.
      • You will need to know their internal Moodle user id.
      • Using cURL (wget or whatever you like to make requests outside of a browser, run the command:
      • curl 'https://webserver/login/token.php?username=testuser&password=sEcReTpAsSwOrD&service=moodle_mobile_app'
        • Replace 'webserver' with the domain of your Moodle instance
        • You MUST use a HTTPS site for this test
      • This command will return a response in the format of: {"token":"7c1bd46b379ecfa6874a49564f4539a7","privatetoken":"IYvPCLomSLYfGTCCX57kZoVBxQWWxQyCVLzeF8dF5rPPCPVUubqgkEtiAAoFzAYM"}
      • Within the next 60 seconds, replace the token and private token in the following command (replacing the domain with that of your test site) and then run it:
        curl 'https://webserver/webservice/rest/server.php?moodlewsrestformat=json' \
        -A "MoodleMobile" \
        --data 'privatetoken=IYvPCLomSLYfGTCCX57kZoVBxQWWxQyCVLzeF8dF5rPPCPVUubqgkEtiAAoFzAYM&wsfunction=tool_mobile_get_autologin_key&wstoken=7c1bd46b379ecfa6874a49564f4539a7' 
      • The command will return a response in the format: {"key":"1bf8caab3fe7ed06918909dad5f5ccf8","autologinurl":"https:\/\/webserver\/admin\/tool\/mobile\/autologin.php","warnings":[]}
      • Withing the next 60 seconds, replace the key in the following:
        https://webserver/admin/tool/mobile/autologin.php?key=1bf8caab3fe7ed06918909dad5f5ccf8&userid=3
        • Replace the domain with your test server
        • replace the userid with the id of the user who you supplied the username and password for
      • Copy and past the URL into a browser
      • Confirm you are now logged into Moodle

      6) Define a pepper with not "enough" entropy (less than 112 bits of entropy)

      • Log your test user out of Moodle
      • Add the following entry to your Moodle instances "config.php" file.

      $CFG->passwordpeppers = [1 => 'foo'];

      • Try to log in with a known username and password.
      • Confirm you receive the following error "Coding error detected, it must be fixed by a programmer: password pepper below minimum".
      • Click continue to return to the login page.

      7) Define a pepper with "enough" entropy (more than 112 bits of entropy)

      • Add the following entry to your Moodle instances "config.php" file.

      $CFG->passwordpeppers = [1 => '#GV]NLie|x$H9[$rW%94bXZvJHa%z'];

      • Try to log in with a known username and password.
      • Confirm that you can log in successfully

      8) Pepper tests.

      • Repeat tests: 2 - 5
      • Note: For test 3 you will need to update the user details in the csv to create a new user.
      • Confirm all tests pass

      9) New pepper tests

      • Log your test user out of Moodle
      • Update the "config.php" file of your Moodle instance to.

        
      $CFG->passwordpeppers = [
          1 => '#GV]NLie|x$H9[$rW%94bXZvJHa%z',
          2 => '#GV]NLie|x$H9[$rW%94bXZvJHa%$'
      ];
      

      • Repeat tests: 1-5 Note: For test 3 you will need to update the user details in the csv to create a new user.
      • Confirm all tests: pass

      10) Removed pepper test.

      • Log your test user out of Moodle
      • Update the "config.php" file of your Moodle instance to.

        
      $CFG->passwordpeppers = [
          2 => '#GV]NLie|x$H9[$rW%94bXZvJHa%$'
      ];
      

      • Repeat tests: 1-5
      • Note: For test 3 you will need to update the user details in the csv to create a new user.
      • Note: Any users that logged in as part of test 7 and 8, but not test 9. Will not be able to log in anymore.
      • Confirm all tests: pass

      11) Broken pepper test

      • Log your test user out of Moodle
      • Update the "config.php" file of your Moodle instance to.

        
      $CFG->passwordpeppers = [
          2 => '#GV]NLie|x$H9[$rW%94bXZvJHa%$_BUSTED'
      ];
      

      • Repeat tests: 1-5
      • Confirm no logins work

      12) Remove peppers

      • Log your test user out of Moodle
      • Update the "config.php" file of your Moodle instance to.

        
      $CFG->passwordpeppers = [
          2 => '#GV]NLie|x$H9[$rW%94bXZvJHa%$',    3 => ''
      ];
      

      • Repeat tests: 1-5
      • Note: For test 3 you will need to update the user details in the csv to create a new user.
      • Note: Any users that logged in as part of test 7 and 8, but not test 9. Will not be able to log in anymore.
      • Confirm all tests: pass
      • Remove the entire passwordpeppers array and definition from your config.php
      • Repeat tests: 1-5
      • Confirm all tests: pass
      Show
      It is recommended to read through the test instructions before completing them. This will lessen the risk of you locking yourself out of your Moodle instance. 1) Existing user test: Prior to applying this patch have a Moodle instance that has some users who are able to log in using a user name and password via the Moodle login page Apply the patch from this issue to the Moodle instance, do not set any peppers. Confirm that the users can still log in after the patch is applied. 2) Password change test. Change the password of an existing user has been able to log in. Confirm that the user is able to log in using their user name and new password via the Moodle login page 3) User upload test. Login as an admin Navigate to: Site administration > Users > Upload users Upload the mdl-67774.csv file attached to this issue Change the "New user password" option to "Field required in file. Click the "Upload users" button Confirm there are no errors with the upload Click the "continue" button Log out as admin Confirm that the user created from the csv can log in with the password from the csv 4) New user test. Login as an admin Create a new user from the UI Log out as admin Confirm that the user created can log in with their password 5) Mobile app SSO login. Get or create an existing user that can log in with a username and password. You will need to know their internal Moodle user id. Using cURL (wget or whatever you like to make requests outside of a browser, run the command: curl ' https://webserver/login/token.php?username=testuser&password=sEcReTpAsSwOrD&service=moodle_mobile_app' Replace 'webserver' with the domain of your Moodle instance You MUST use a HTTPS site for this test This command will return a response in the format of: {"token":"7c1bd46b379ecfa6874a49564f4539a7","privatetoken":"IYvPCLomSLYfGTCCX57kZoVBxQWWxQyCVLzeF8dF5rPPCPVUubqgkEtiAAoFzAYM"} Within the next 60 seconds, replace the token and private token in the following command (replacing the domain with that of your test site) and then run it: curl 'https://webserver/webservice/rest/server.php?moodlewsrestformat=json' \ -A "MoodleMobile" \ --data 'privatetoken=IYvPCLomSLYfGTCCX57kZoVBxQWWxQyCVLzeF8dF5rPPCPVUubqgkEtiAAoFzAYM&wsfunction=tool_mobile_get_autologin_key&wstoken=7c1bd46b379ecfa6874a49564f4539a7'  The command will return a response in the format: {"key":"1bf8caab3fe7ed06918909dad5f5ccf8","autologinurl":"https:\/\/webserver\/admin\/tool\/mobile\/autologin.php","warnings":[]} Withing the next 60 seconds, replace the key in the following: https://webserver/admin/tool/mobile/autologin.php?key=1bf8caab3fe7ed06918909dad5f5ccf8&userid=3 Replace the domain with your test server replace the userid with the id of the user who you supplied the username and password for Copy and past the URL into a browser Confirm you are now logged into Moodle 6) Define a pepper with not "enough" entropy (less than 112 bits of entropy) Log your test user out of Moodle Add the following entry to your Moodle instances "config.php" file. $CFG->passwordpeppers = [ 1 => 'foo' ]; Try to log in with a known username and password. Confirm you receive the following error "Coding error detected, it must be fixed by a programmer: password pepper below minimum". Click continue to return to the login page. 7) Define a pepper with "enough" entropy (more than 112 bits of entropy) Add the following entry to your Moodle instances "config.php" file. $CFG->passwordpeppers = [ 1 => '#GV]NLie|x$H9[$rW%94bXZvJHa%z' ]; Try to log in with a known username and password. Confirm that you can log in successfully 8) Pepper tests. Repeat tests: 2 - 5 Note: For test 3 you will need to update the user details in the csv to create a new user. Confirm all tests pass 9) New pepper tests Log your test user out of Moodle Update the "config.php" file of your Moodle instance to.   $CFG->passwordpeppers = [ 1 => '#GV]NLie|x$H9[$rW%94bXZvJHa%z' , 2 => '#GV]NLie|x$H9[$rW%94bXZvJHa%$' ]; Repeat tests: 1-5 Note: For test 3 you will need to update the user details in the csv to create a new user. Confirm all tests: pass 10) Removed pepper test. Log your test user out of Moodle Update the "config.php" file of your Moodle instance to.   $CFG->passwordpeppers = [ 2 => '#GV]NLie|x$H9[$rW%94bXZvJHa%$' ]; Repeat tests: 1-5 Note: For test 3 you will need to update the user details in the csv to create a new user. Note: Any users that logged in as part of test 7 and 8, but not test 9. Will not be able to log in anymore. Confirm all tests: pass 11) Broken pepper test Log your test user out of Moodle Update the "config.php" file of your Moodle instance to.   $CFG->passwordpeppers = [ 2 => '#GV]NLie|x$H9[$rW%94bXZvJHa%$_BUSTED' ]; Repeat tests: 1-5 Confirm no logins work 12) Remove peppers Log your test user out of Moodle Update the "config.php" file of your Moodle instance to.   $CFG->passwordpeppers = [ 2 => '#GV]NLie|x$H9[$rW%94bXZvJHa%$' , 3 => '' ]; Repeat tests: 1-5 Note: For test 3 you will need to update the user details in the csv to create a new user. Note: Any users that logged in as part of test 7 and 8, but not test 9. Will not be able to log in anymore. Confirm all tests: pass Remove the entire passwordpeppers array and definition from your config.php Repeat tests: 1-5 Confirm all tests: pass
    • 6
    • Team Hedgehog 2023 Review 2, Team Hedgehog 2023 Sprint 3.1, Team Hedgehog 2023 Sprint 3.2

    Description

      NIST guidelines from 2017 recommend a pepper as well as a salt, see:

      https://en.wikipedia.org/wiki/Pepper_(cryptography)

      Roughly, a pepper is a component of the salt, but stored separately and in this case would be in config.php. By splitting them it means that if the db is compromised the partial hashes are useless.

      Unlike a salt, the pepper is not unique and would be shared for all users, and must be kept secret.

      I would also want a simple method to allow multiple peppers so they can be rotated like:

      $CFG->passwordpeppers = [
          '2019' => 'blahsecret45678',
          '2018' => 'blahsecret12345',
      ];

      Whenever we confirm hashes we'll check against all peppers but upgrade it to the latest one which is first in the list.

      The pepper needs to have a decent amount of entropy so I'd throw a config exception if the primary pepper is too short, min 112 bits of entropy, so the pepper itself cannot be easily brute forced if you have a known password + hash combo.

       

      Attachments

        Issue Links

          Activity

            People

              matt.porritt@moodle.com Matt Porritt
              brendanheywood Brendan Heywood
              Andrew Lyons Andrew Lyons
              Ilya Tregubov Ilya Tregubov
              Kim Jared Lucas Kim Jared Lucas
              Votes:
              1 Vote for this issue
              Watchers:
              18 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day, 58 minutes
                  1d 58m

                  Clockify

                    Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.