search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Extending create new user
[CGIscriptor.git] / Private / CreateUser.html
blob7bd40351cebac9b7e6cb1a20a3ba41c0baa58b11
1 <html>
2 <head>
3 <title>Create User Account</title>
4 <SCRIPT TYPE="text/ssperl" CGI='$SERVERSALT $LOGINTICKET $RANDOMSALT $REMOTE_ADDR $LOGINUSERNAME $LOGINIPADDRESS $LOGINPATH'>
5 ::create_login_file("~/Private/.Passwords", "~/Private/.Sessions", $REMOTE_ADDR);
6 "";
7 </SCRIPT>
8 <SCRIPT type="text/javascript" LANGUAGE="JavaScript">
9 <SCRIPT TYPE="text/ssperl" SRC="./JavaScript/CGIscriptorSession.js"></SCRIPT>
10
11 window.onload = function() {
12 // Get encrypted new key and salt, decrypt key
13 var newpassword = document.getElementById('newaccount');
14 var usertext = document.getElementById('usertext');
15 var secret = sessionStorage.getItem("CGIscriptorSECRET");
16 if(secret && newpassword) {
17 decrypted = DecryptNewPassword (secret, newpassword.innerHTML);
18 newpassword.innerHTML = decrypted;
19 };
20 // Reset session data
21 loadSessionData (CGIscriptorSessionType, CGIscriptorChallengeTicket);
22
23 return true;
24 };
25
26
27 </SCRIPT>
28
29 <script type="text/javascript">
30 <SCRIPT TYPE="text/ssperl" SRC="./JavaScript/sha.js"></SCRIPT>
31 </script>
32
33 </head>
34 <body>
35 <p>
36 <table width='100%'><tr>
37 <td style='text-align: left'><a href="/index.html">Home</a></td>
38 <td style='text-align: right'><a href="?LOGOUT">Logout</a></td>
39 </tr></table>
40 </p>
41 <p ALIGN=RIGHT><a href="index.html">Private Home page</a><br />
42 <a href="ChangePassword.html">Change Password</a><br />
43 <SCRIPT TYPE="text/ssperl" CGI='@CAPABILITIES $LOGINUSERNAME'>
44 # Block access to
45 if($ENV{'EnforceCreateUser'} && ! grep(/^CreateUser$/, @CAPABILITIES))
46 {
47 my $banner = "";
48 $banner =<< "ENDOFNOAUTHORIZATION BANNER";
49 <h1 style="text-align: center; color: Red">$LOGINUSERNAME: You are not authorized to create a new user account</h1>
50 <h2 style="text-align: center; color: Red">Please contact your administrator</h2>
51
52 </body>
53 </html>
54 ENDOFNOAUTHORIZATION BANNER
55
56 print STDOUT $banner;
57 exit;
58 };
59 "";
60 </SCRIPT>
61
62 <h1 align=CENTER>Create new user account</h1>
63 <SCRIPT TYPE="text/ssperl" CGI='$NEWACCOUNTTEXT'>
64 if($NEWACCOUNTTEXT =~ /\S/)
65 {
66 my $filename = "";
67 if($NEWACCOUNTTEXT =~ /Username\:\s+([^\n]+)(\n|$)/isg)
68 {
69 $filename = lc($1);
70 $filename =~ s/[^\w]/_/isg;
71 };
72 print STDOUT << "ENDOFPRINTNEWACCOUNTTEXT";
73 Paste this text into a file with name <em>$filename</em>
74 <pre>
75 $NEWACCOUNTTEXT
76 </pre>
77 ENDOFPRINTNEWACCOUNTTEXT
78 };
79 "";
80 </SCRIPT>
81
82 </pre>
83 <p>
84 <form method="POST" action="CreateUser.html" id="LoginForm"
85 onSubmit='if(! check_password_fields())return false;EncryptNewPassword("NEWUSERNAME");HashPassword("<SCRIPT TYPE="text/ssperl">
86 $RANDOMSALT</SCRIPT>");hidePasswords();true'>
87 <div style="margin-left: 20%; margin-right: 20%; text-align: left">
88 <table cellspacing="5" >
89 <tr>
90 <td style="text-align: right">Password:</td>
91 <td style="text-align: left"><input type="PASSWORD" name="PASSWORD" id="PASSWORD" size="50" /></td>
92 </tr>
93 <tr><td>&nbsp;</td><td>&nbsp;</td></tr>
94 <tr><td>&nbsp;</td><td>New user account settings</td></tr>
95
96 <tr>
97 <td style="text-align: right">New Username:</td>
98 <td style="text-align: left">
99 <input type="text" name="NEWUSERNAME" id="NEWUSERNAME" size="30" />
100 </td>
101 </tr>
102 <tr>
103 <td style="text-align: right">New Password:</td>
104 <td style="text-align: left"><input type="PASSWORD" name="NEWPASSWORD" id="NEWPASSWORD" size="50" />
105 </td>
106 <tr>
107 <td style="text-align: right">Repeat Password:</td>
108 <td style="text-align: left"><input type="PASSWORD" name="NEWPASSWORDREP" id="NEWPASSWORDREP" size="50" onChange="check_password_fields();"/></td>
109 </tr>
110 <tr>
111 <td style="text-align: right"></td>
112 <td style="text-align: left">Account Settings</td>
113 </tr>
114 <tr>
115 <td style="text-align: right">Allowed Paths:</td>
116 <td style="text-align: left"><input type="TEXT" name="ALLOWEDPATHS" id="ALLOWEDPATHS" size="50" value="# ; separated perl regex" /></td>
117 </tr>
118 <tr>
119 <td style="text-align: right">Allowed IP addresses:</td>
120 <td style="text-align: left"><input type="TEXT" name="IPADDRESS" id="IPADDRESS" size="50" value="127.0.0.1;# Other (partial) IP addresses" /></td>
121 </tr>
122 <tr>
123 <td style="text-align: right">Session type:</td>
124 <td style="text-align: left">
125 <select name="NEWSESSION" id="NEWSESSION">
126 <option value ="SESSION" selected>SESSION</option>
127 <option value ="CHALLENGE">CHALLENGE</option>
128 <option value ="IPADDRESS">IPADDRESS</option>
129 </select>
130 </dt>
131 </tr>
132 <tr><td>&nbsp;</td><td>&nbsp;</td></tr>
133 <tr>
134 <td></td>
135 <td style="text-align: left"><input type="submit" id="SUBMIT" value="Create" style="color: Gray" />
136 <input type="button" id="revealpassword" value="Show Passwords" onClick="this.value=togglePasswords('Hide', 'Show', this.value);true" /></td>
137 </tr>
138 </table>
139 <input type="hidden" name="CGIUSERNAME" id="CGIUSERNAME" size="20" value=<SCRIPT type="text/ssperl">$LOGINUSERNAME</SCRIPT> />
140 <input type="hidden" name="SERVERSALT" id="SERVERSALT" value="<SCRIPT TYPE="text/ssperl">$SERVERSALT</SCRIPT>" />
141 <input type="hidden" name="RANDOMSALT" id="RANDOMSALT" value="<SCRIPT TYPE="text/ssperl">$RANDOMSALT</SCRIPT>" />
142 <input type="hidden" name="LOGINTICKET" id="LOGINTICKET" value="<SCRIPT TYPE="text/ssperl">$LOGINTICKET</SCRIPT>" />
143 <input type="hidden" name="SESSIONTICKET" id="SESSIONTICKET"value="" />
144 <input type="hidden" name="CHALLENGETICKET" id="CHALLENGETICKET" value="" />
145 </div>
146 </form>
147 </p>
148 <h2 align=CENTER>Strong Passwords: It is so easy</h2>
149 <h3 align=CENTER>If you only could see what you are typing</h3>
150 <p style="margin-left: 20%; margin-right: 20%; text-align: center">
151 <a href="http://xkcd.com/936/" target="_blank"><img src="http://imgs.xkcd.com/comics/password_strength.png" width="60%" /></a>
152 </p>
153 <p style="margin-left: 30%; margin-right: 30%; text-align: center">
154 <font style="font-size: small">
155 <em>
156 Note: For the procedures used at this site, a basic computer setup can check a billion passwords per second. You need
157 a password (or phrase) strength in the order of 56 bits to be a little secure (one year on a single computer). One of
158 the largest network in the world, Bitcoin mining, can check some 12 terahashes per second (June 2012). This
159 corresponds to checking 6 times 10<sup>12</sup> passwords per second.
160 It would take a passwords strength of ~68 bits to keep the equivalent of
161 the Bitcoin computer network occupied for around a year before it found
162 a match.<br />
163 An example whould be the phrase '</em>sherlock investigates oleander curry in bath<em>'.
164 </em>
165 </font>
166 </p>
167 <p style="margin-left: 30%; margin-right: 30%; text-align: justify">
168 Your password might be vulnerable to <a href=
169 "https://en.wikipedia.org/wiki/Brute_force_attack"><em>brute force
170 </em></a> guessing. Protections against such attacks are costly in
171 terms of code complexity, bugs, and execution time.<br /> However,
172 there is a very simple and secure counter measure. See the <a href=
173 "http://xkcd.com/936/" target="_blank">XKCD comic</a> above. The
174 phrase, <em>There is no password like more password</em> would be
175 both much easier to remember, and still stronger than <em>h4]D%@m:49
176 </em>, at least before this phrase was pasted as an example on the
177 Internet.<br /> Please be so kind and add the name of your favorite
178 flower, dish, fictional character, or small town to your password.
179 Say, <em>Oleander</em>, <em>Curry</em>, <em>Sherlock</em>, or <em>Bath</em>
180 (each adds ~12 bits) or even the phrase <em>Sherlock investigates
181 oleander curry in Bath</em> (adds &gt; 56 bits, note that oleander is
182 <em>poisonous</em>, so do not try this curry at home). That would be
183 more effective than adding a thousand rounds of encryption. Typing
184 long passwords without seeing what you are typing is problematic. So
185 a button should be included to make password visible.
186 </p>
187 <p>
188 <hr>
189 </p>
190 <p>
191 The Salt and Ticket values are all created using SHA256 on 64 Byte of output from <em>/dev/urandom</em> in HEX.
192 </p>
193 <FONT STYLE="font-size:small">
194 <p> Example Login page for CGIscriptor.pl<br />
195 Copyright &copy; 2012 R.J.J.H. van Son<br />
196 This program is free software: you can redistribute it and/or modify
197 it under the terms of the GNU General Public License as published by
198 the Free Software Foundation, either version 3 of the License, or
199 (at your option) any later version.
200 This program is distributed in the hope that it will be useful,
201 but WITHOUT ANY WARRANTY; without even the implied warranty of
202 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
203 GNU General Public License for more details.<br />
204 You should have received a copy of the GNU General Public License
205 along with this program. If not, see <a href="http://www.gnu.org/licenses/">http://www.gnu.org/licenses/</a>.
206 </p>
207 <p> A JavaScript implementation of the SHA family of hashes, as defined in FIPS
208 PUB 180-2 as well as the corresponding HMAC implementation as defined in
209 FIPS PUB 198a<br />
210 Version 1.3 Copyright Brian Turek 2008-2010
211 Distributed under the BSD License<br />
212 See <a href="http://jssha.sourceforge.net/">http://jssha.sourceforge.net/</a> for more information<br />
213 Several functions taken from Paul Johnson
214 </p>
215 </FONT>
216
217 </body>
218 </html>
A flexible HTML 4 compliant script/module for CGI-aware embeded Perl, shell-scripts, and other scripting languages, executed at the server side.