25 messages in net.sourceforge.lists.courier-usersRe: [courier-users] Can't log in via ...| From | Sent On | Attachments |
|---|---|---|
| James Homuth | Mar 26, 2007 2:56 am | |
| Bernd Wurst | Mar 26, 2007 3:52 am | |
| Bernd Wurst | Mar 26, 2007 3:54 am | |
| James Homuth | Mar 26, 2007 3:57 am | |
| Bernd Wurst | Mar 26, 2007 4:02 am | |
| James Homuth | Mar 26, 2007 5:08 am | |
| Gordon Messmer | Mar 26, 2007 8:25 am | |
| James Homuth | Mar 26, 2007 8:48 am | |
| Gordon Messmer | Mar 26, 2007 9:34 am | |
| James Homuth | Mar 26, 2007 5:51 pm | |
| Gordon Messmer | Mar 26, 2007 9:57 pm | |
| Bernd Wurst | Mar 26, 2007 10:35 pm | |
| James Homuth | Mar 27, 2007 3:19 am | |
| Gordon Messmer | Mar 27, 2007 6:46 am | |
| James Homuth | Mar 27, 2007 8:52 am | |
| Bernd Wurst | Mar 27, 2007 10:29 am | |
| James Homuth | Mar 28, 2007 3:39 pm | |
| Bernd Wurst | Mar 28, 2007 10:42 pm | |
| James Homuth | Mar 31, 2007 4:21 am | |
| James Homuth | Mar 31, 2007 4:25 am | |
| Bernd Wurst | Mar 31, 2007 6:54 am | |
| James Homuth | Mar 31, 2007 7:32 am | |
| Bernd Wurst | Mar 31, 2007 7:42 am | |
| James Homuth | Mar 31, 2007 9:05 am | |
| James Homuth | Mar 31, 2007 9:12 am |
| Subject: | Re: [courier-users] Can't log in via courier-pop3 | |
|---|---|---|
| From: | James Homuth (jam...@the-jdh.com) | |
| Date: | Mar 31, 2007 9:05:54 am | |
| List: | net.sourceforge.lists.courier-users | |
At 10:42 AM 3/31/2007, you wrote:
Hi.
Am Samstag, 31. März 2007 schrieb James Homuth:
This seems to be hexadecimal encoded (did you use PASSWORD() from a rather old mysql version?).
mysql 5.0 over here.
Uh? Which hasing function is this?
MySQL5 normally generates somthing like this for password:
mysql> select PASSWORD('foo'); +-------------------------------------------+ | PASSWORD('foo') | +-------------------------------------------+ | *F3A2A51A9B0F2BE2468926B4132313728C250DBF | +-------------------------------------------+
Well, on this system, mysql's password function generates 67fada7e716dd205. At least, when I do it through phpmyadmin. Like I said I hadn't gone too deep into configuring this that and the other piece of software yet, since I'm just trying to make courier work on its own before I go throwing more into it that could potentially break.
But this is out of scope now. ;-)
You should use Salted-MD5 as used by the UNIX-Shadow-Passwords (looking like $1$foobar$...).
Well, userdbpw and mysql's md5 function disagree, so userdbpw's interpretation of it it is.
Wait...
Your users should not have access to the MySQL-database directly, I think.
They don't. And after I make sure nothing else is going to fall over, I don't intend to either.
So there must be any frontend for them or for you to create accounts.
Right now, I create accounts either by hand or through phpmyadmin. Because there's only one account on the server right now, and it's a test user, so if I horribly break something, I don't lose anything. And, I might actually learn something from it.
This frontend has to be changed to use the correkt hashing.
I agree, and once I get courier working, I'll go finding one.
No need for shell accounts to users!
Ah, we've both gone and misunderstood one another. I'd originally thought the userdbpw command relied on system accounts. Meaning, when you were talking about the unix shadow passwords, I thought they were updated by that program. Which would have defeated the purpose of going the mysql route.
If I was creating my own solution for it, that's definitely what I'd do, now that I'm aware mysql's encription's pretty much useless here.
I did NOT test it, but MySQL's ENCRYPT() gives me this:
mysql> select ENCRYPT('foo'); +----------------+ | ENCRYPT('foo') | +----------------+ | wJrLk2nXxP1XE | +----------------+
This looks like the unix-crypt() that is also understood by courier. For testing purposes, this may be enough.
My use of the encript function gave me what you saw in the query snip of earlier. Granted I didn't do it by hand, but rather through phpmyadmin, but if it's using the exact same functions I don't see what'd change.
For production use, I would recommand switching to MD5.
And I plan to, now that I know where the problem is.
There's my problem. I created the user here just for testing's sake using phpmyadmin. Again, this was when I was thinking mysql's encription functions would actually accomplish something. Looking for alternatives I go.
For testing purposes, you can use "userdbpw -md5" to create a password hash and put this as a regular string in your database.
I think I'll do that. At least for the moment, I'll only have to create about 2 acounts to start off with when I actually take this to production, so it's a solution while I research. Thanks a lot for the pointers.