86 lines
2.8 KiB
PHP
86 lines
2.8 KiB
PHP
<?php
|
|
/*
|
|
Copyright (C) 2013-2015 Grégory Soutadé
|
|
|
|
This file is part of gPass.
|
|
|
|
gPass is free software: you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
gPass is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with gPass. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
/*
|
|
User interface display or not ciphered passwords. Set to false avoid database leakage by user interface (but not by raw HTTP request).
|
|
*/
|
|
$VIEW_CIPHERED_PASSWORDS=true;
|
|
|
|
/*
|
|
Allows user creation
|
|
*/
|
|
$ADMIN_MODE=true;
|
|
|
|
/*
|
|
Number of iterations for PBKDF2 algorithm.
|
|
Minimum recommended level is 1000, but you can increase
|
|
this value to have a better security (need more computation
|
|
power).
|
|
|
|
!! Warning !! This impact master keys. So if you change
|
|
this value with existings masterkeys, they will unusable !
|
|
*/
|
|
$BKDF2_LEVEL=1000;
|
|
|
|
/*
|
|
This is a security feature : It protects from database dump
|
|
and database purge without authentication.
|
|
When get all entries, instead of returning logins/passwords,
|
|
it returns "shadow logins". These are random values.
|
|
Shadow logins must be encrypted using masterkey and salt
|
|
(to generate a unique PBKDF2 derivation) that result in an access tokens.
|
|
With this access token, user has the right to get
|
|
encrypted login/password values and remove them.
|
|
It's a kind of challenge.
|
|
|
|
This option is backward compatible with old version < 0.6, but
|
|
once activated it cannot be reverted as access tokens will be
|
|
generated for all values. So, if you want to test it, make
|
|
a copy of your databases before !
|
|
|
|
For now it's deactivated because it requires high cpu bandwidth
|
|
(one derivation + two decryption for each password !). When
|
|
standard crypto API will be stable it will be enabled by default.
|
|
*/
|
|
$USE_SHADOW_LOGINS=0;
|
|
|
|
/*
|
|
Protection against DDoS.
|
|
Each request can contains multiple password combination
|
|
(to support wildcards for example) and multiple names.
|
|
Currently only two passwords are sent from addon :
|
|
www.example.com
|
|
*.example.com
|
|
But, on future we may also consider 'www.example.*', '*.example.*' and lower case username.
|
|
For maximum security, you can set it to 2.
|
|
*/
|
|
$MAX_PASSWORDS_PER_REQUEST=10;
|
|
|
|
/*
|
|
Protection against brute force.
|
|
Minimum delay (in milliseconds) between two requests.
|
|
*/
|
|
$REQUESTS_MIN_DELAY=1000;
|
|
|
|
/*
|
|
Clear master keys and reset passwords after 15 minutes of inactivity
|
|
*/
|
|
$CLEAR_TIME=15*60*1000;
|
|
?>
|