password hashing with courier + mysql
|
View:
New views
6 Messages
—
Rating Filter:
Alert me
|
 |
password hashing with courier + mysql
by Joseph C. Lininger
::
Rate this Message:
|
|
|
Re: password hashing with courier + mysql
by Sam Varshavchik
::
Rate this Message:
Joseph C. Lininger writes:
> I'm using Courier MTA with mysql as the authentication back-end. As of > now, the passwords are hashed using the older DES based algorithm. > However, my crypt (3) implementation supports md5, as well as sha256 or > sha512 hashes. I'd like the passwords to be hashed using one of these > methods. You'll need to manually set a password encoded using one of the supported hash function. When changing a password, Courier will use the same hash function as the existing password. ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ courier-users mailing list courier-users@... Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users |
|
|
Re: password hashing with courier + mysql
by Joseph C. Lininger
::
Rate this Message:
|
|
|
Re: password hashing with courier + mysql
by Sam Varshavchik
::
Rate this Message:
Joseph C. Lininger writes:
> I got it to work with the MD5 hashing method by manually setting a > password. However, if I try using the SHA512 hash, the one I'd really > prefer to use, it will authenticate fine with the password. However, if > I change it in sqwebmail, then it reverts to the DES based algorithm. I > get a hash string in the form {CRYPT}<DES hash>. Is this a Courier > thing, something with my setup, or a me thing? > > To let you know what I did, I first used the encrypt function in mysql > to set the password on an account. I passed $6$ followed by 8 random > characters and the $ character as the salt argument to that function. > Then I checked the string in the table. Fine so far. not sure're how you're even able to validate such a password. The only way this might work is if you're using PAM to authenticate, with your PAM library implementing support for this encryption method. However were this to be the case, you should also be using PAM to set the password, via a scripted expect session: http://www.courier-mta.org/authlib/README_authlib.html#pwchange This would also use your system PAM library to actually update your password, which presumably would implement your encryption function. So, I can't give you any more pointers since you did not adequately described your configuration. All I can tell you is that Courier recognizes $1${salt}$password, an MD5-based salted hashing (not a straight MD5 hash, btw); {MD5}password, a base64-encoded straight MD5 hash; {MD5RAW}password, a hexadecimal-encoded straight MD5 hash, {SHA}password, {SHA256}password and {SHA512}password, a base64-encoded straight SHAx hash, {SSHA}password, a base64-encoded salted SSHA1 hash method, and the legacy DES-based passwords. ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ courier-users mailing list courier-users@... Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users |
|
|
Re: password hashing with courier + mysql
by Joseph C. Lininger
::
Rate this Message:
|
|
|
Re: password hashing with courier + mysql
by Sam Varshavchik
::
Rate this Message:
Joseph C. Lininger writes:
> I am not using pam for authentication in Courier. I'm using authmysql. > Probably the reason authentication works was pure luck, the way Courier > makes the crypt (3) call. The SHA512 based password hashing in my > implementation is compatible to an extent with the MD5 based algorithm > in wider circulation. Depending on exactly how Courier reads the > password string and processes it through crypt (3) it could likely work > without you ever intending for it to have done. Having it carry over to > password changes, now, that requires some handling. I'd be willing to > make the modifications and submit a patch if you'd be willing to point > me to a starting point in the code. I could find it myself, but as the > author if you told me where to look you'd shave a lot of time off the > analysis and modification time. I'll probably go ahead and make the > modifications and at least make the capability available through a > private patch even if you aren't interested in having it in the mainline > Courier distribution because I and some people I work with have a use > for it. If you want to use it though, I'll do the work to add it and > give it to you in the form of a patch. passwords. It essentially reimplements the entire algorithm that computes this hash. Except for the original crypt passwords, all hash functions are implemented natively in Courier. At the time of the original implementation, crypt() only did the crypt method, the new salted md5 passwords were implemented separately in glibc. From what you're telling me, it looks like all the hash functions have now been folded into crypt(), and that's how you pull this off. Implementing the new hash function within the existing framework is going to be a bear. Reimplementing the entire $6$ algorithm will be an adventure. But if you want to give it a shot: All the password stuff is in the courier-authlib package. Verifying an existing password is done in authcheckpassword(), in checkpassword.c. Changing an existing password is implemented in authcryptpasswd(), in cryptpassword.c. This code is fairly old, but it works. If you want to take a shot in cleaning it up, go for it. ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ courier-users mailing list courier-users@... Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users |
attachment0 (204 bytes) | Free embeddable forum powered by Nabble | Forum Help |
