From a5733508ae1ae625efcfd48190eab4b6a963d599 Mon Sep 17 00:00:00 2001 From: Adam Warner Date: Tue, 2 May 2017 21:36:08 +0100 Subject: [PATCH 1/6] Double hash the password directly in the install script --- automated install/basic-install.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/automated install/basic-install.sh b/automated install/basic-install.sh index d7075088..c9f4d659 100755 --- a/automated install/basic-install.sh +++ b/automated install/basic-install.sh @@ -1413,7 +1413,9 @@ main() { pw="" if [[ $(grep 'WEBPASSWORD' -c /etc/pihole/setupVars.conf) == 0 ]] ; then pw=$(tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c 8) - /usr/local/bin/pihole -a -p "${pw}" + hash=$(echo -n ${pw} | sha256sum | sed 's/\s.*$//') + hash=$(echo -n ${hash} | sha256sum | sed 's/\s.*$//') + echo "WEBPASSWORD=${hash}" >> ${setupVars} fi fi From 9c136a5579cbfd3a151a3068bfe1abb8ef578c09 Mon Sep 17 00:00:00 2001 From: Adam Warner Date: Tue, 2 May 2017 22:24:37 +0100 Subject: [PATCH 2/6] functionise Hashing --- advanced/Scripts/webpage.sh | 11 ++++++++--- automated install/basic-install.sh | 4 ++-- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/advanced/Scripts/webpage.sh b/advanced/Scripts/webpage.sh index 7804fc8f..1169d6f0 100755 --- a/advanced/Scripts/webpage.sh +++ b/advanced/Scripts/webpage.sh @@ -67,6 +67,13 @@ SetTemperatureUnit(){ } +HashPassword(){ + # Compute password hash twice to avoid rainbow table vulnerability + return=$(echo -n ${1} | sha256sum | sed 's/\s.*$//') + return=$(echo -n ${return} | sha256sum | sed 's/\s.*$//') + echo ${return} +} + SetWebPassword(){ if [ "${SUDO_USER}" == "www-data" ]; then @@ -93,9 +100,7 @@ SetWebPassword(){ read -s -p "Confirm Password: " CONFIRM echo "" if [ "${PASSWORD}" == "${CONFIRM}" ] ; then - # Compute password hash twice to avoid rainbow table vulnerability - hash=$(echo -n ${PASSWORD} | sha256sum | sed 's/\s.*$//') - hash=$(echo -n ${hash} | sha256sum | sed 's/\s.*$//') + hash=$(HashPassword ${PASSWORD}) # Save hash to file change_setting "WEBPASSWORD" "${hash}" echo "New password set" diff --git a/automated install/basic-install.sh b/automated install/basic-install.sh index c9f4d659..e3f48536 100755 --- a/automated install/basic-install.sh +++ b/automated install/basic-install.sh @@ -1413,9 +1413,9 @@ main() { pw="" if [[ $(grep 'WEBPASSWORD' -c /etc/pihole/setupVars.conf) == 0 ]] ; then pw=$(tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c 8) - hash=$(echo -n ${pw} | sha256sum | sed 's/\s.*$//') + hash=$(echo -n ${pw} | sha256sum | sed 's/\s.*$//' | sha256sum | sed 's/\s.*$//') hash=$(echo -n ${hash} | sha256sum | sed 's/\s.*$//') - echo "WEBPASSWORD=${hash}" >> ${setupVars} + echo "WEBPASSWORD=$(echo -n ${pw} | sha256sum | sed 's/\s.*$//' | sha256sum | sed 's/\s.*$//')" >> ${setupVars} fi fi From 61ec7723f6abd599e6bd8f41e741a9ed31cf620d Mon Sep 17 00:00:00 2001 From: Adam Warner Date: Tue, 2 May 2017 22:25:47 +0100 Subject: [PATCH 3/6] use function in install script --- automated install/basic-install.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/automated install/basic-install.sh b/automated install/basic-install.sh index e3f48536..e535d115 100755 --- a/automated install/basic-install.sh +++ b/automated install/basic-install.sh @@ -1413,9 +1413,8 @@ main() { pw="" if [[ $(grep 'WEBPASSWORD' -c /etc/pihole/setupVars.conf) == 0 ]] ; then pw=$(tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c 8) - hash=$(echo -n ${pw} | sha256sum | sed 's/\s.*$//' | sha256sum | sed 's/\s.*$//') - hash=$(echo -n ${hash} | sha256sum | sed 's/\s.*$//') - echo "WEBPASSWORD=$(echo -n ${pw} | sha256sum | sed 's/\s.*$//' | sha256sum | sed 's/\s.*$//')" >> ${setupVars} + . /opt/pihole/webpage.sh + echo "WEBPASSWORD=$(HashPassword ${1}) fi fi From bb6f409e89c931a313d12dbe2e3050d72bbde76a Mon Sep 17 00:00:00 2001 From: Adam Warner Date: Tue, 2 May 2017 22:28:32 +0100 Subject: [PATCH 4/6] dropped a " --- automated install/basic-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automated install/basic-install.sh b/automated install/basic-install.sh index e535d115..cd39d225 100755 --- a/automated install/basic-install.sh +++ b/automated install/basic-install.sh @@ -1414,7 +1414,7 @@ main() { if [[ $(grep 'WEBPASSWORD' -c /etc/pihole/setupVars.conf) == 0 ]] ; then pw=$(tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c 8) . /opt/pihole/webpage.sh - echo "WEBPASSWORD=$(HashPassword ${1}) + echo "WEBPASSWORD=$(HashPassword ${1})" fi fi From 9c645e2010342cd47cf308555560b30783ce3153 Mon Sep 17 00:00:00 2001 From: Adam Warner Date: Tue, 2 May 2017 22:30:02 +0100 Subject: [PATCH 5/6] Seriously. --- automated install/basic-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automated install/basic-install.sh b/automated install/basic-install.sh index cd39d225..311adb72 100755 --- a/automated install/basic-install.sh +++ b/automated install/basic-install.sh @@ -1414,7 +1414,7 @@ main() { if [[ $(grep 'WEBPASSWORD' -c /etc/pihole/setupVars.conf) == 0 ]] ; then pw=$(tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c 8) . /opt/pihole/webpage.sh - echo "WEBPASSWORD=$(HashPassword ${1})" + echo "WEBPASSWORD=$(HashPassword ${1})" >> ${setupVars} fi fi From b13171cc4549ff894c6336bbd31ac9f32a0271d4 Mon Sep 17 00:00:00 2001 From: Adam Warner Date: Tue, 2 May 2017 22:37:38 +0100 Subject: [PATCH 6/6] $1 is not $pw. Seriously, who let me onto this project --- automated install/basic-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automated install/basic-install.sh b/automated install/basic-install.sh index 311adb72..c65ef49f 100755 --- a/automated install/basic-install.sh +++ b/automated install/basic-install.sh @@ -1414,7 +1414,7 @@ main() { if [[ $(grep 'WEBPASSWORD' -c /etc/pihole/setupVars.conf) == 0 ]] ; then pw=$(tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c 8) . /opt/pihole/webpage.sh - echo "WEBPASSWORD=$(HashPassword ${1})" >> ${setupVars} + echo "WEBPASSWORD=$(HashPassword ${pw})" >> ${setupVars} fi fi