New hmac scheme for sudo passwords.

diff --git a/debian/changelog b/debian/changelog
index 955d81e..20a5720 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+userdir-ldap-cgi (0.3.23) unstable; urgency=low
+
+  * New hmac scheme for sudo passwords.
+
+ -- Peter Palfrader <weasel@debian.org>  Fri, 14 Nov 2008 20:01:38 +0100
+
 userdir-ldap-cgi (0.3.22) unstable; urgency=low
 
   * Verify confirmed hmac in web display, showing status as either 'confirmed'

diff --git a/update.cgi b/update.cgi
index f78a7eb..ae0b6ce 100755 (executable)
--- a/update.cgi
+++ b/update.cgi
@@ -128,7 +128,7 @@ if (!($query->param('doupdate'))) {
       next;
     }
     if ($status =~ /^confirmed:/) {
-      my $data = join(':', 'password-is-confirmed', $uuid, $hosts, $crypted);
+      my $data = join(':', 'password-is-confirmed', 'sudo', $data{'uid'}, $uuid, $hosts, $crypted);
       my $hmac = hmac_sha1_hex( $data, $hmac_key);
       if ($status eq "confirmed:$hmac") {
         $status = 'confirmed';
@@ -143,7 +143,7 @@ if (!($query->param('doupdate'))) {
                  <td><input name=\"sudopassword-delete-".CGI::escapeHTML($uuid)."\" type=\"checkbox\" value=\"delete\"> (delete)</td></tr>\n";
     $sudopassword .= $e;
     if ($status eq 'unconfirmed') {
-      my $data = join(':', 'confirm-new-password', $uuid, $hosts, $crypted);
+      my $data = join(':', 'confirm-new-password', 'sudo', $data{'uid'}, $uuid, $hosts, $crypted);
       my $hmac = hmac_sha1_hex( $data, $hmac_key);
       $confirmstring .= CGI::escapeHTML("confirm sudopassword $uuid $hosts $hmac\n");
     }