鋭意作成中です - Mitsuhiro Yoshida 2009年11月25日 (水) 06:06 (UTC)

パスワードSALTとは?

パスワードは、md5 hashと呼ばれる、暗号化された形でMoodle内に保存されます。

パスワードSALTは、md5ハッシュが計算される前、パスワードにランダム文字列を追加して、さらにパスワードを安全にする手法です。パスワードSLATにより、パスワードの推測がさらに難しくなります (ランダム文字列を大きくするほど、推測の困難さが増します)。

パスワードSALTを有効にする

パスワードSALTを設定するには、あなたのconfig.phpファイルに次の行を追加してください:

$CFG->passwordsaltmain = 'ここにランダムな半角文字列を記述してください';

ランダム文字列は、数字および他の文字を混ぜた形で記述してください。適切な長いランダム文字列を取得するため、Moodle Salt Generatorを使用することができます。ストリング長は、少なくとも40文字を推奨します。

注意: For security reasons the only way to enable password salting is by editing config.php - there is no way to do so in the Moodle interface.

SALTを変更する

If for any reason you wish to change the salt, the old salt must be retained in config.php in addition to the new salt.

passwordsaltmain should be changed to passwordsaltalt1 (note that the exact expressions must be used) for the old salt as follows:

$CFG->passwordsaltalt1 = 'old long random string';
$CFG->passwordsaltmain = 'new long random string';

If you change your salt again in the future, you must retain all the previous salts for some time (until every user has logged in at least once, so they start using the new salt). You can use $CFG->passwordsaltalt2, $CFG->passwordsaltalt3, etc. to keep up to 20 previous salts.

Warning: If you change the salt and do not retain the old one in config.php you will no longer be able to login to your site!

SALTを無効にする

Note: Not Recommended! Once enabled, you should leave password salt enabled.

To disable password salting in Moodle, you can delete, comment out, or change the value of passwordsaltmain to "empty"

// EXAMPLE: set to empty string
$CFG->passwordsaltmain = '';

// EXAMPLE: comment out
/*
$CFG->passwordsaltmain = '';
*/

However, you are not done! You must also move the old salt to an "alt" value, just like the "changing the salt" description, above:

$CFG->passwordsaltalt1 = 'old long random string';
$CFG->passwordsaltmain = '';

Importing users from another site

If you import users from another Moodle site which uses a password salt, you need to add the other site's salt to config.php too. Upto 20 alternate salts may be added

$CFG->passwordsaltalt1, $CFG->passwordsaltalt2, ...  $CFG->passwordsaltalt20

パスワードSALTは、どのように動作しますか?

When a password is checked, the code looks for CFG->passwordsaltmain. If set, it appends the user's password to the salt before calculating the md5 hash.

If the unsalted md5 hash of a user's password validates, it is assumed that the salt was set for the first time since the last time the user logged in. The user's password is upgraded, using the salt. The password is salted during the first login after the salt was set in config.php.

If neither the unsalted md5 hash, or the salted md5 hash validates, the code looks for up to 20 alternate salts.

If you change salts, in order not to orphan existing user accounts, you must enter the old salt into one of the alternate slots.

When a user who has an "old salt" password logs in, the first test of their authentication with the new salt will fail... then the code will test any alternate salts, looking for one that allows the password to be proven valid.

If a user is deemed valid, the system will upgrade the user's hashed password to the latest salt.