On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote:> > > Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz > <rgm at htt-consult.com>: > >> On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote: >>> Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot: >>>> I have trying to find how to set the dovecot-sql.conf for using >>>> SHA256/512.? I am going to start clean with the stronger format, not >>>> migrate from the old MD5.? It seems all I need is: >>> you maybe would like to have a look to the hashing algo ARGON2I >>> which is >>> currently recommended for new developments and deployments. >> >> Recommended by whom? >> >> Can you provide a link? > > Sure, please see here: > https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet > >> >> >> And if I was adventurous about hashes, I would be looking more at >> Keccak. >> >> >> Check out my Internet Draft: >> >> >> draft-moskowitz-small-crypto-00.txt > > Thanks for the tip, will have a look for into it.Keccak is a general hashing function.? It was the first? of the hashing 'sponge' functions, that many have followed.? It is the basis of SHA3 (at Keccak's greatest strength). Argon2 seems to be special-built for password hashing.? Thing is it is not supported on my CentOS7 system: # doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT Of course SHA3 is not listed either...
On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote:> > > On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote: >> >> >> Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz >> <rgm at htt-consult.com>: >> >>> On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote: >>>> Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot: >>>>> I have trying to find how to set the dovecot-sql.conf for using >>>>> SHA256/512.? I am going to start clean with the stronger format, not >>>>> migrate from the old MD5.? It seems all I need is: >>>> you maybe would like to have a look to the hashing algo ARGON2I >>>> which is >>>> currently recommended for new developments and deployments. >>> >>> Recommended by whom? >>> >>> Can you provide a link? >> >> Sure, please see here: >> https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet >> >>> >>> >>> And if I was adventurous about hashes, I would be looking more at >>> Keccak. >>> >>> >>> Check out my Internet Draft: >>> >>> >>> draft-moskowitz-small-crypto-00.txt >> >> Thanks for the tip, will have a look for into it. > > Keccak is a general hashing function.? It was the first? of the > hashing 'sponge' functions, that many have followed.? It is the basis > of SHA3 (at Keccak's greatest strength). > > Argon2 seems to be special-built for password hashing.? Thing is it is > not supported on my CentOS7 system: > > # doveadm pw -l > MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN > CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 > PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT > SHA256-CRYPT SHA512-CRYPT > > Of course SHA3 is not listed either... > >ARGON2 support is added in dovecot v2.3. It also needs to be enabled when compiling dovecot, so varying from packagers it might or not be available. The CRYPT ones are available if crypt(3) supports them. In dovecot v2.3 we have added bcrypt support regardless of crypt(3) support. Aki
On 2/13/19 8:30 AM, Aki Tuomi wrote:> On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote: >> >> On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote: >>> >>> Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz >>> <rgm at htt-consult.com>: >>> >>>> On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote: >>>>> Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot: >>>>>> I have trying to find how to set the dovecot-sql.conf for using >>>>>> SHA256/512.? I am going to start clean with the stronger format, not >>>>>> migrate from the old MD5.? It seems all I need is: >>>>> you maybe would like to have a look to the hashing algo ARGON2I >>>>> which is >>>>> currently recommended for new developments and deployments. >>>> Recommended by whom? >>>> >>>> Can you provide a link? >>> Sure, please see here: >>> https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet >>> >>>> >>>> And if I was adventurous about hashes, I would be looking more at >>>> Keccak. >>>> >>>> >>>> Check out my Internet Draft: >>>> >>>> >>>> draft-moskowitz-small-crypto-00.txt >>> Thanks for the tip, will have a look for into it. >> Keccak is a general hashing function.? It was the first? of the >> hashing 'sponge' functions, that many have followed.? It is the basis >> of SHA3 (at Keccak's greatest strength). >> >> Argon2 seems to be special-built for password hashing.? Thing is it is >> not supported on my CentOS7 system: >> >> # doveadm pw -l >> MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN >> CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 >> PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT >> SHA256-CRYPT SHA512-CRYPT >> >> Of course SHA3 is not listed either... >> >> > ARGON2 support is added in dovecot v2.3. It also needs to be enabled > when compiling dovecot, so varying from packagers it might or not be > available. The CRYPT ones are available if crypt(3) supports them. In > dovecot v2.3 we have added bcrypt support regardless of crypt(3) support.CentOS7 is on dovecot 2.2.36: # doveadm pw -s ARGON2-CRYPT -p secret Fatal: Unknown scheme: ARGON2-CRYPT # doveadm pw -s ARGON2 -p secret Fatal: Unknown scheme: ARGON2 I tend to stay with the distro's rpms and not take on building and maintaining myself.
On 2/13/19 8:30 AM, Aki Tuomi wrote:> On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote: >> >> On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote: >>> >>> Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz >>> <rgm at htt-consult.com>: >>> >>>> On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote: >>>>> Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot: >>>>>> I have trying to find how to set the dovecot-sql.conf for using >>>>>> SHA256/512.? I am going to start clean with the stronger format, not >>>>>> migrate from the old MD5.? It seems all I need is: >>>>> you maybe would like to have a look to the hashing algo ARGON2I >>>>> which is >>>>> currently recommended for new developments and deployments. >>>> Recommended by whom? >>>> >>>> Can you provide a link? >>> Sure, please see here: >>> https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet >>> >>>> >>>> And if I was adventurous about hashes, I would be looking more at >>>> Keccak. >>>> >>>> >>>> Check out my Internet Draft: >>>> >>>> >>>> draft-moskowitz-small-crypto-00.txt >>> Thanks for the tip, will have a look for into it. >> Keccak is a general hashing function.? It was the first? of the >> hashing 'sponge' functions, that many have followed.? It is the basis >> of SHA3 (at Keccak's greatest strength). >> >> Argon2 seems to be special-built for password hashing.? Thing is it is >> not supported on my CentOS7 system: >> >> # doveadm pw -l >> MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN >> CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 >> PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT >> SHA256-CRYPT SHA512-CRYPT >> >> Of course SHA3 is not listed either... >> >> > ARGON2 support is added in dovecot v2.3. It also needs to be enabled > when compiling dovecot, so varying from packagers it might or not be > available. The CRYPT ones are available if crypt(3) supports them. In > dovecot v2.3 we have added bcrypt support regardless of crypt(3) support.I just found an Argon2 binary for CentOS7: Installing: ?argon2??????????? armv7hl???????? 20161029-2.el7 epel????????? 22 k Installing for dependencies: ?libargon2???????? armv7hl???????? 20161029-2.el7 epel????????? 26 k How do I get Dovecot 2.2 to use it?