9 messages in net.sourceforge.lists.courier-imapRe: [Courier-imap] SHA passwords| From | Sent On | Attachments |
|---|---|---|
| email builder | Oct 29, 2008 3:04 am | |
| Sam Varshavchik | Oct 29, 2008 4:00 am | |
| email builder | Oct 29, 2008 11:59 am | |
| email builder | Oct 31, 2008 2:43 am | |
| email builder | Dec 1, 2008 4:37 pm | |
| Sam Varshavchik | Dec 1, 2008 5:31 pm | |
| email builder | Dec 15, 2008 10:03 pm | |
| email builder | Dec 15, 2008 10:04 pm | |
| email builder | Dec 16, 2008 2:10 am |
| Subject: | Re: [Courier-imap] SHA passwords | |
|---|---|---|
| From: | email builder (emai...@yahoo.com) | |
| Date: | Dec 1, 2008 4:37:20 pm | |
| List: | net.sourceforge.lists.courier-imap | |
I finally got motivated to move away from crypt passwords since on my
system that limits the passwords to 8 characters. What I settled on was SHA, since it seems to be supported everywhere I need it. Unfortunately, I can't get it to work anywhere and I can't tell why.
I store my account data in MySQL. I changed the contents of my encrypted
password field (that was working 100% with crypt passwords) to look like
this:
{SHA}9afab6adfc0ec3d458fa314ddfd9b764e963144f
This is MySQL-specific hex-encoded passwords.
For Courier to recognize SHA passwords, they have to be base64-encoded, not hex-encoded, like it's done by OpenLDAP, and other systems.
Ah, I see. That kind of encoding is also what PHP does by default unless you ask for the raw hash in PHP5+.
Does anyone know if there is any way to produce a base64-encoded SHA hash using MySQL? Does anyone here use MySQL and something other than crypt passwords? What do others do to avoid the 8 character limit (ideally, I like SSHA or something else where a salt can be used)?
Bump.
Can anyone explain what they use to host passwords with more than 8 characters in a MySQL-backed virtual accounts system? Most tutorials/howto guides mostly avoid the topic completely. I also use pam-mysql for sasl authentication, which limits my choices, but it seems to support SHA passwords. Is the only way to make base64-encoded SHA passwords to write a PHP script (PHP 5+ only) to do it the long way or learn to do it in another language???
So is everyone just using plain crypt? Does anyone care about better password
security??
I did a little bit more looking today and I see that pam-mysql supports system
crypt WITH md5. I think (but have not tested) that this means that it takes an
md5 of the password first and then crypts it. (Note that I hate to think it
does the opposite, because if you have the 8 character limit in crypt(),
crypting it and THEN taking the md5 won't solve that problem!) Does anyone know
for sure how it works?
Since feedback seems in short supply, I think I will try this some time soon,
but the outstanding question is if Courier can be taught how to deal with this
kind of "MD5CRYPT" password format???
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ Courier-imap mailing list Cour...@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap