ENCRYPTED PASSWORDS DOC		Started: 2013-07-09	Updated: 2021-05-05


NOTE: THIS FEATURE IS OPTIONAL, AND SHOULD ONLY BE ACTIVATED AFTER YOUR SYSTEM 
      HAS BEEN INSTALLED, CONFIGURED AND TESTED!

NOTE: Additional password security features are mentioned at the bottom of this
      document.


INSTALL:

Perl CPAN module required for Password Encryption to function:
NOTE: this must be installed on all webservers if you have more than one

On the Linux command line of your webserver(s), type the following:

cpan
install Crypt::Eksblowfish::Bcrypt
quit

Then, go to the admin web interface Admin -> System Settings page and manually 
confirm that Password Encryption is DISABLED (fifth item from the top)
	
Then, run the following CLI script: (run in test mode first!)
   /usr/share/astguiclient/ADMIN_bcrypt_convert.pl --debugX --test

Then if no errors are shown, run the same script above WITHOUT the --test flag.
NOTE:  If you also want to clear the plaintext passwords from the users table, 
you can run the above script with the --clear-plaintext-pass flag

Now if you go back to the admin web interface Admin -> System Settings page, you
should see that Password Encryption is now ENABLED.

You should not have to do anything else to use fully encrypted passwords on your
system. 

You can confirm that the encryption perl script can run with apache by using a
command similar to this:
	sudo -u wwwrun /srv/www/htdocs/agc/bp.pl --debugX --pass=test

If you receive errors from the above command, you may need to change permissions
on the perl modules directories on your webserver:
	chmod -R a+x /usr/lib/perl5/vendor_perl/5.18.1/i586-linux-thread-multi/*



DESCRIPTION:

This new optional feature is part of the security enhancements that have been 
made to the Vicidial Contact Center System in our 2.8 development branch(during
the summer of 2013). After consulting with security experts, we added several 
new security features to the web interfaces and closed several security 
vulnerabilities as well.

The first major change was protecting against most SQL injection attacks. The
second major change was locking a user's account for 15 minutes after 10 failed
login attempts, which removes the vulnerability of the system to brute force
password attacks. Password encryption is the third major change, which protects
user passwords even if the system is compromised and the users database table is
downloaded.

We use the Bcrypt hashing algorithm, which allows for variable rates of 
calculating the hash from a password and a salt. This variable "cost" is
definable in the system before you activate password encryption, and this is 
what allows bcrypt to increase the complexity of the hash as computer systems
improve calculation ability, which makes Bcrypt the ideal choice for a system
that could be installed for many years.

All password checking goes through the bp.pl perl script to generate the Bcrypt
hash that checks against the vicidial_users table password hash if Password
Encryption is enabled on your system.

NOTES: 
1. Enabling Password Encryption will force case-sensitive passwords
2. Passwords only allow letters and numbers, NOT symbols


To test the password encryption, or to generate a pass hash manually, just go to
your web server and run this command on the bp.pl script:

	/srv/www/htdocs/agc/bp.pl --pass=test

You can also use the above command to generate a new password hash if you have
forgotten your password and update the database with the new value manually:

	UPDATE vicidial_users set pass_hash='kfYvywV959fn09rSZML70wHjjxsaYjm' where user='123';



ADDITIONAL USER SECURITY TOOLS:
1. Passwords can now be up to 100 characters: According to new NIST password security guidelines, the length of a password is the single most important point in the security of that password.
2. Minimum password lengths: This setting will require that user passwords, phone and server passwords, and system settings default passwords be at least this minimum length of characters when those records settings are modified on the Modify pages. There is also a "PASSWORD LENGTH" indicator on the Modify pages to show you how long a password is as it is being typed.
3. Add an automated process that can deactivate accounts that have not been logged in to in over X number of days(see below)
4. Two-Factor Authentication has been added as an option within the VICIdial admin web screens, allowing Email, Phone-Call and SMS methods with definable session expiration times. See the 2FA_TWO_FACTOR_AUTHENTICATION.txt doc for more info. 


NOTE: This is something an Admin will have to set up on your system.


Here's an example that will set users to active=N if they haven't logged in in the last 90 days - 


Create a Settings Container called "SQL_set_inactive_users" with the following as the Container Entry:

UPDATE vicidial_users SET active='N' where last_login_date < CONCAT(DATE_ADD(NOW(), INTERVAL -90 DAY)) and user!='6666';


Have the Admin add this CRONTAB entry on only one dialer in your cluster:

### set users active=N if they haven't logged in in the last 90 days, run at 2:00am every day
0 2 * * * /usr/share/astguiclient/AST_settings_container_SQL.pl --container=SQL_set_inactive_users -q
