DokuWiki

It's better when it's simple

User Tools

Site Tools


plugin:securelogin

SecureLogin Plugin

Compatible with DokuWiki

  • 2020-07-29 "Hogfather" unknown
  • 2018-04-22 "Greebo" yes
  • 2017-02-19 "Frusterick Manners" yes
  • 2016-06-26 "Elenor Of Tsort" yes

plugin Not Maintained. This plugin encrypts submitted passwords, giving you and your users an extra layer of security.

Last updated on
2020-05-27
Provides
Admin, Action
Repository
Source
By Mikhail I. Izmestev

Description

Not Maintained

This plugin uses Tom Wu's implementation of RSA algorithm in JavaScript on the client to encrypt the login password with the server's public key. The encrypted password is then sent to the server where it can be decrypted. Man-in-the-middle attacks are prevented by using a variable token (salt) added to the password before encrypting. Therefore, replay attacks don't work.

When securelogin is used, there is always a “use securelogin” checkbox near the password field. If the browser has no JavaScript or JavaScript is disabled, then obviously, the passwords are sent in clear text, as they are by default with DokuWiki. In this case though, the user should notice the absence of the checkbox.

Also, whenever a password has to be entered, it is automagically encrypted by this plugin, be it on the login, profile or admin page.

In short, it takes your password:

p:MySecretPa$$word

And instead has the login/profile/admin page submit the password as:

securelogin:M66YMHFzjl9qXa96zr2JzDWlV3WTE+4mOgJZNNr3yW9xPzSORtSIjp+ZNczopNUp5N0M0ASiqutgf1nio+iTN....

Not Maintained

While it still works with the listed versions, it's not actively maintained. Sometimes people help out here or in the forums, but be aware that no one is maintaining it. Adopters welcome.

Attacks against RSA have become easier. This plugin uses RSA and needs to be rewritten to use a different library/encryption mechanism. As it is, it may be vulnerable to certain targeted man-in-the-middle attacks. Though it appears that those attacks may still be fairly expensive against a regular wiki site. If in doubt, see the next section.

Use HTTPS, CORS, etc

This plugin was made when HTTPS was pricey (for a wiki), but we still wanted as much security as we could get. Now that one can easily have HTTPS, CORS, Subresource Integrity, etc, it's not as relevant. Consider it as just a possible extra layer of security. Your first priority should always be a good server setup with the latest in security. I've left this here for those that want it.

Because good security is like a onion. You want a lot of layers in order keep things protected even *when* some layers fail.

Issue with CAPTCHA Plugin Login

If the CAPTCHA plugin is enabled on the login page with this plugin, the CAPTCHA will not be processed. ie, the user can enter whatever for the CAPTCHA prompt and the login will be processed like normal. So Bots can attempt to login and ignore the CAPTCHA.

A wrong password will still fail. And Securelogin will still encrypt the password. The login will just act as if CAPTCHA is not installed. The CAPTCHA plugin should still work elsewhere on the site.

Installation and Setup

  1. Search for and install the plugin using the Extension Manager.
  2. Once installed, go the Admin page and select “Secure login configuration”.
  3. Under “Generate new key pair”, click the “Generate” button.
  4. Click the “Test” button to verify your setup. If all is working, a bubble will appear containing whatever was in the “Test Message” box.

You're done. From then on, all passwords are encrypted before being sent.

To manually install the plugin, please see the Plugin Installation Instructions. Then follow the last three steps above.

How it works

Normally when you submit your 'MySecretPa$$word', you will see it in the data transfer (using wireshark, tcpdump, developer tools, etc):

id:start
do:login
u:MyUser
p:MySecretPa$$word

You can easily see the 'MySecretPa$$word' in the above example.

But when you use this plugin, it will encrypt the password, which can only be decrypted on the server.

id:start
do:login
u:MyUser
p:******
use_securelogin:1
securelogin:M66YMHFzjl9qXa96zr2JzDWlV3WTE+4mOgJZNNr3yW9xPzSORtSIjp+ZNczopNUp5N0M0ASiqutgf1nio+iTNj3pS24kHD1LZb6GcG7cFvpr/uzfxJsO8jAbFD6/ZkB0xy9vBMabn3BYP7GWLrTR3b/7zNdla/FdqjX9U48dHMrcO2/ZFJKLsdzt84/bC+3xoV7/qC/BZO5AbQ37SvLEC7DaMTMtbSqlF573Y0iOMb3wYe1rj2m/HQiBM8ro25OBfnUxmgJFMVVkfkLdNUepRjUeeJSXF+R5XDcO2L4uX9D8AOE8nSecRn+0gqwz6PzPPqEpv60y0Io1rZXevG+I9Q==

The javascript on the page takes the form's password variable `p=MySecretPa$$word`, encrypts it with the provided salt (changed on every page load), and sets the result as `securelogin`. It also replaces `p`'s value with stars so it can't submit the password in the clear.

When the server receives the data, it sees that `use_securelogin` is set to `1` (true), so it knows the password was encrypted. It will decrypt the `securelogin` variable and separate it from the salt value. From this it gets the `p=MySecretPa$$word` value, which it sets so the Dokuwiki authentication routines have it. Dokuwiki can then compare the passwords like it normally does.

This same process happens during the add user, modify user, and edit profile options. This is what will be seen if someone views a user changing their password (with this plugin active):

do:profile
fullname:MyUser
email:user@example.com
newpass:******
passchk:******
oldpass:******
use_securelogin:1
securelogin:mCUIwYbHRgNjmAkr1CHssH8g1ZAgGKIxsFsMZUN1XM703V2g4hB5upzfJeVyE/aT9ByOYxQChbhRyJezjD7jO4LKwlgBR/Jnqkr+rUr70MLcoRybM8maTGdAGDM3VweSylqAGOASKb87hKYb0URUFo+yfGaKp572IWCfSZDHLrP1Hrs/f7EYKXozXpMNHA3l/VXNm2wGAwvkvnfFgkRZonrdfdUlLDC0OkBpa3WawMqoYb+1/kcuGsBcAve0Tp+uMQZw8FwHj8SOp9kJLUnEqXrop2pXa3mc9j8NS54CeCbJuJ0qfEhUHIE9/BHUgbmCPQV6XNWttZbRp8r1Q1dG/g==

In this case, all three passwords are encrypted into `securelogin`, and the post values replaced with stars.

Changlog

  • 20200527
    • Updated url to archived location of repo.
  • * 20200418
    • Quoted array keys for php 7.2
  • 20180217 Thanks to Christian Paul for reporting
    • Fixed issue where second password was not encrypted on add/modify users
  • 20150928 Thanks to Satoshi Sahara
    • compatible with DokuWiki 2015-08-10 “Detritus”
    • replace deprecated split() function call
    • prevent PHP error output
    • use PHP5 constructor method for classes
    • Improved coding style and added license header in source files
  • 20140417
    • Changed download link per Mikhail I. Izmestev's request
    • Updates to plugin info in admin page, like the website link and more unified info.
  • 20130519
    • added jQuery patches. Thanks to Heiko Barth
  • 20101121
    • add german translation. Thanks to Heiko Barth
    • fix finding pubkey info with openssl 0.9.8*
    • fix escaping encoded data (now supports non ascii passwords)
  • 20101105
    • fixed support php < 5.2
    • added plugin.info.txt
  • 20101101 Thanks to Christophe Martin
    • fix bug with some chars in passwords
  • 20091213
    • add support of usermanager plugin
  • 20091206 Thanks to Christophe Martin
    • fix unclosed <div id="secure__login">
    • add showlogin compat
  • 20090901 Thanks to Jan Hána
    • add Czech translation
  • 20090802 Thanks to Christophe Martin
    • fix problem with URL-rewrite DokuWiki method
    • add French translation

Comments

Tested and found to not be functional under Angua. No checkbox appears on the login screen and I am not sure if the key generation is working. How can I test this? — greenseeker 2012/02/02 19:41

It works for me under Angua. I do get a checkbox. Did you manually generate a new key pair on the Admin page (&do=admin&page=securelogin)? If it works the public key should be shown there. — Rik Blok 2012/02/02 20:17
I did generate the new key, or at least I tried. When I click Generate the page reloads but nothing visibly happens. I tried all available key length options and got the same result. — greenseeker 2012/02/02 23:10
I'm not the plugin author so I'm just guessing but have you checked your file/folder permissions? Maybe the keys can't be written on the server. I don't know where they're supposed to be stored. — Rik Blok 2012/02/03 20:29
The key is stored in data/cache/securelogin.*. — Casper 2012/02/03 22:34
Just checked the permissions again and they're all good. data/cache/securelogin.ini and data/cache/securelogin.key both existed with a Feb 2 date, so they were created. I delete and recreated them again but still no checkbox at login. — greenseeker 2012/02/04 17:30
Maybe a caching (⇒ delete cache) or template (try default template) problem? — Casper 2012/02/04 19:54
Seems to be an issue with the Arctic template. Odd, I've been using it forever and never had a problem. — greenseeker 2012/02/06 19:56
It works for me with the latest Arctic template on Angua. I did have to regenerate my key at some point (but I don't remember if it was related to a DokuWiki or template update). — Rik Blok 2012/02/08 00:30
I'm not sure what the cause was, but it started working for me after changing to the default template and then back to arctic again. I did this yesterday and it didn't have any effect. — greenseeker 2012/02/08 01:25
I can't generate key: I use Adora Belle. Permission rights of data/cache are ok, ma none of the files above (securelogin.*) have been generated. Is the plugin working with Adora Belle? — fabrizio 2012/10/16
I've just generated a new key under Adora Belle - works just fine. — Casper 2012/10/16 15:34
For Weatherwax, I tried to edit .js files and got worked. See this, all of mentioned were needed. — anonymous 2013/05/12 15:59
Patches were committed, so these issues should be fixed. Let me know if you're still having problems. — Matt Bagley 2014/04/17 11:39

Patched JavaScript for DokuWiki >= Weatherwax

Casper 2013/05/19 00:51

Added patches to plugin.

Matt Bagley 2014/04/17 11:39

plugin/securelogin.txt · Last modified: 2020-05-28 07:53 by mattfiddles