diff --git a/Kernel/System/Auth/DB.pm b/Kernel/System/Auth/DB.pm index 2feef3fbb6b..d47f6940f7d 100644 --- a/Kernel/System/Auth/DB.pm +++ b/Kernel/System/Auth/DB.pm @@ -89,7 +89,7 @@ sub Auth { my $RemoteAddr = $ENV{REMOTE_ADDR} || 'Got no REMOTE_ADDR env!'; my $UserID = ''; my $GetPw = ''; - my $Method; + my $Method = ''; # get database object my $DBObject = $Kernel::OM->Get('Kernel::System::DB'); @@ -177,8 +177,8 @@ sub Auth { { $Kernel::OM->Get('Kernel::System::Log')->Log( Priority => 'error', - Message => - "User: '$User' tried to authenticate with bcrypt but 'Crypt::Eksblowfish::Bcrypt' is not installed!", + Message => + "User: $User tried to authenticate with bcrypt but 'Crypt::Eksblowfish::Bcrypt' is not installed!", ); return; } @@ -245,10 +245,19 @@ sub Auth { # just in case for debug! if ( $Self->{Debug} > 0 ) { + my $EnteredPw = $CryptedPw; + my $ExpectedPw = $GetPw; + + # Don't log plaintext passwords. + if ( $Method eq 'plain' ) { + $EnteredPw = 'xxx'; + $ExpectedPw = 'xxx'; + } + $Kernel::OM->Get('Kernel::System::Log')->Log( Priority => 'notice', - Message => - "User: '$User' tried to authenticate with Pw: '$Pw' ($UserID/$Method/$CryptedPw/$GetPw/$Salt/$RemoteAddr)", + Message => + "User: $User tried to authenticate (User ID: $UserID, method: $Method, entered password: $EnteredPw, expected password: $ExpectedPw, salt: $Salt, remote address: $RemoteAddr)", ); } @@ -275,7 +284,7 @@ sub Auth { elsif ( ($UserID) && ($GetPw) ) { $Kernel::OM->Get('Kernel::System::Log')->Log( Priority => 'notice', - Message => + Message => "User: $User authentication with wrong Pw!!! (Method: $Method, REMOTE_ADDR: $RemoteAddr)" ); return; diff --git a/Kernel/System/Auth/LDAP.pm b/Kernel/System/Auth/LDAP.pm index 086dc7d54e2..967bc228b82 100644 --- a/Kernel/System/Auth/LDAP.pm +++ b/Kernel/System/Auth/LDAP.pm @@ -151,7 +151,7 @@ sub Auth { if ( $Self->{Debug} > 0 ) { $Kernel::OM->Get('Kernel::System::Log')->Log( Priority => 'notice', - Message => "User: ($Param{User}) added $Self->{UserSuffix} to username!", + Message => "User: $Param{User} added $Self->{UserSuffix} to username!", ); } } @@ -160,8 +160,7 @@ sub Auth { if ( $Self->{Debug} > 0 ) { $Kernel::OM->Get('Kernel::System::Log')->Log( Priority => 'notice', - Message => "User: '$Param{User}' tried to authenticate with Pw: '$Param{Pw}' " - . "(REMOTE_ADDR: $RemoteAddr)", + Message => "User: $Param{User} tried to authenticate (REMOTE_ADDR: $RemoteAddr)", ); } diff --git a/Kernel/System/Auth/Radius.pm b/Kernel/System/Auth/Radius.pm index fda637a47aa..9fe14112d45 100644 --- a/Kernel/System/Auth/Radius.pm +++ b/Kernel/System/Auth/Radius.pm @@ -85,7 +85,7 @@ sub Auth { if ( $Self->{Debug} > 0 ) { $Kernel::OM->Get('Kernel::System::Log')->Log( Priority => 'notice', - Message => "User: '$User' tried to authenticate with Pw: '$Pw' ($RemoteAddr)", + Message => "User: $User tried to authenticate (REMOTE_ADDR: $RemoteAddr)", ); } diff --git a/Kernel/System/CustomerAuth/DB.pm b/Kernel/System/CustomerAuth/DB.pm index 706cc9df878..85b2e48349f 100644 --- a/Kernel/System/CustomerAuth/DB.pm +++ b/Kernel/System/CustomerAuth/DB.pm @@ -109,6 +109,7 @@ sub Auth { my $RemoteAddr = $ENV{REMOTE_ADDR} || 'Got no REMOTE_ADDR env!'; my $UserID = ''; my $GetPw = ''; + my $Method = ''; # sql query $Self->{DBObject}->Prepare( @@ -143,6 +144,7 @@ sub Auth { if ( $Self->{CryptType} eq 'plain' ) { $CryptedPw = $Pw; + $Method = 'plain'; } # md5 or sha pw @@ -161,9 +163,11 @@ sub Auth { if ( $Magic eq '$apr1$' ) { $CryptedPw = apache_md5_crypt( $Pw, $Salt ); + $Method = 'apache_md5_crypt'; } else { $CryptedPw = unix_md5_crypt( $Pw, $Salt ); + $Method = 'unix_md5_crypt'; } $EncodeObject->EncodeInput( \$CryptedPw ); } @@ -176,6 +180,7 @@ sub Auth { $SHAObject->add($Pw); $CryptedPw = $SHAObject->hexdigest(); $EncodeObject->EncodeInput( \$CryptedPw ); + $Method = 'sha256'; } # sha512 pw @@ -186,6 +191,7 @@ sub Auth { $SHAObject->add($Pw); $CryptedPw = $SHAObject->hexdigest(); $EncodeObject->EncodeInput( \$CryptedPw ); + $Method = 'sha512'; } elsif ( $GetPw =~ m{^BCRYPT:} ) { @@ -196,7 +202,7 @@ sub Auth { $Kernel::OM->Get('Kernel::System::Log')->Log( Priority => 'error', Message => - "User: '$User' tried to authenticate with bcrypt but 'Crypt::Eksblowfish::Bcrypt' is not installed!", + "CustomerUser: $User tried to authenticate with bcrypt but 'Crypt::Eksblowfish::Bcrypt' is not installed!", ); return; } @@ -218,6 +224,7 @@ sub Auth { ); $CryptedPw = "BCRYPT:$Cost:$Salt:" . Crypt::Eksblowfish::Bcrypt::en_base64($Octets); + $Method = 'bcrypt'; } # sha1 pw @@ -231,6 +238,7 @@ sub Auth { $SHAObject->add($Pw); $CryptedPw = $SHAObject->hexdigest(); $EncodeObject->EncodeInput( \$CryptedPw ); + $Method = 'sha1'; } # No-13-chars-long crypt pw (e.g. in Fedora28). @@ -242,6 +250,7 @@ sub Auth { # Encode output, needed by crypt() only non utf8 signs. $CryptedPw = crypt( $Pw, $SaltUser ); $EncodeObject->EncodeInput( \$CryptedPw ); + $Method = 'crypt'; } } @@ -259,14 +268,24 @@ sub Auth { # encode output, needed by crypt() only non utf8 signs $CryptedPw = crypt( $Pw, $Salt ); $EncodeObject->EncodeInput( \$CryptedPw ); + $Method = 'crypt'; } # just in case! if ( $Self->{Debug} > 0 ) { + my $EnteredPw = $CryptedPw; + my $ExpectedPw = $GetPw; + + # Don't log plaintext passwords. + if ( $Self->{CryptType} eq 'plain' ) { + $EnteredPw = 'xxx'; + $ExpectedPw = 'xxx'; + } + $Kernel::OM->Get('Kernel::System::Log')->Log( Priority => 'notice', - Message => "CustomerUser: '$User' tried to authenticate with Pw: '$Pw' " - . "($UserID/$CryptedPw/$GetPw/$Salt/$RemoteAddr)", + Message => + "CustomerUser: $User tried to authenticate (User ID: $UserID, method: $Method, entered password: $EnteredPw, expected password: $ExpectedPw, salt: $Salt, remote address: $RemoteAddr)", ); } @@ -274,7 +293,7 @@ sub Auth { if ( !$Pw ) { $Kernel::OM->Get('Kernel::System::Log')->Log( Priority => 'notice', - Message => + Message => "CustomerUser: $User authentication without password (REMOTE_ADDR: $RemoteAddr)", ); return; @@ -293,7 +312,7 @@ sub Auth { elsif ( $UserID && $GetPw ) { $Kernel::OM->Get('Kernel::System::Log')->Log( Priority => 'notice', - Message => + Message => "CustomerUser: $User Authentication with wrong password (REMOTE_ADDR: $RemoteAddr)" ); return; @@ -303,7 +322,7 @@ sub Auth { else { $Kernel::OM->Get('Kernel::System::Log')->Log( Priority => 'notice', - Message => + Message => "CustomerUser: $User doesn't exist, is invalid or has no password set (REMOTE_ADDR: $RemoteAddr)" ); return; diff --git a/Kernel/System/CustomerAuth/LDAP.pm b/Kernel/System/CustomerAuth/LDAP.pm index 1a19e1d1422..93d4c24a756 100644 --- a/Kernel/System/CustomerAuth/LDAP.pm +++ b/Kernel/System/CustomerAuth/LDAP.pm @@ -152,7 +152,7 @@ sub Auth { if ( $Self->{Debug} > 0 ) { $Kernel::OM->Get('Kernel::System::Log')->Log( Priority => 'notice', - Message => "CustomerUser: ($Param{User}) added $Self->{UserSuffix} to username!", + Message => "CustomerUser: $Param{User} added $Self->{UserSuffix} to username!", ); } } @@ -161,8 +161,7 @@ sub Auth { if ( $Self->{Debug} > 0 ) { $Kernel::OM->Get('Kernel::System::Log')->Log( Priority => 'notice', - Message => "CustomerUser: '$Param{User}' tried to authenticate with Pw: '$Param{Pw}' " - . "(REMOTE_ADDR: $RemoteAddr)", + Message => "CustomerUser: $Param{User} tried to authenticate (REMOTE_ADDR: $RemoteAddr)", ); } @@ -248,7 +247,7 @@ sub Auth { if ( $Self->{Debug} > 0 ) { $Kernel::OM->Get('Kernel::System::Log')->Log( Priority => 'notice', - Message => 'check for groupdn!', + Message => 'Checking for GroupDN.', ); } @@ -288,7 +287,7 @@ sub Auth { # failed login note $Kernel::OM->Get('Kernel::System::Log')->Log( Priority => 'notice', - Message => + Message => "CustomerUser: $Param{User} authentication failed, no LDAP group entry found" . "GroupDN='$Self->{GroupDN}', Filter='$Filter2'! (REMOTE_ADDR: $RemoteAddr).", ); diff --git a/Kernel/System/CustomerAuth/Radius.pm b/Kernel/System/CustomerAuth/Radius.pm index 5f3abc45400..099b889da35 100644 --- a/Kernel/System/CustomerAuth/Radius.pm +++ b/Kernel/System/CustomerAuth/Radius.pm @@ -88,7 +88,7 @@ sub Auth { if ( $Self->{Debug} > 0 ) { $Kernel::OM->Get('Kernel::System::Log')->Log( Priority => 'notice', - Message => "User: '$User' tried to authenticate with Pw: '$Pw' ($RemoteAddr)", + Message => "CustomerUser: $User tried to authenticate (REMOTE_ADDR: $RemoteAddr)", ); } @@ -133,7 +133,7 @@ sub Auth { if ( defined($AuthResult) && $AuthResult == 1 ) { $Kernel::OM->Get('Kernel::System::Log')->Log( Priority => 'notice', - Message => "User: $User Authentication ok (REMOTE_ADDR: $RemoteAddr).", + Message => "CustomerUser: $User Authentication ok (REMOTE_ADDR: $RemoteAddr).", ); return $User; } @@ -142,7 +142,7 @@ sub Auth { else { $Kernel::OM->Get('Kernel::System::Log')->Log( Priority => 'notice', - Message => "User: $User Authentication with wrong Pw!!! (REMOTE_ADDR: $RemoteAddr)" + Message => "CustomerUser: $User Authentication with wrong Pw!!! (REMOTE_ADDR: $RemoteAddr)" ); return; }