On 3/11/2013 12:20 PM, Thomas Pries wrote:> Hi,
>
> I want to write some php code that users can change there dovecot
> password via a roundcube plugin. I'm using php function crypt(...) to
> generate the hashes and everything works well so far.
>
>
> I'm using doveadm pw to generate testhashes e.g.:
>
> srv:~ # doveadm pw -r 5 -s BLF-CRYPT -p abc
> {BLF-CRYPT}$2a$05$W82/Vw4ZEcHBC00M8cNwe.g8fOHuAeV7L5Q/q4W6VWl9V5kjoiz8y
>
> I expected an "ok" when using -t the hash when entering abc as a
> password, but I got:
>
> srv:~ # doveadm pw -r 5 -s BLF-CRYPT -t
> \{BLF-CRYPT}$2a$05$W82/Vw4ZEcHBC00M8cNwe.g8fOHuAeV7L5Q/q4W6VWl9V5kjoiz8y
> Enter password to verify:
> doveadm(root): Fatal: reverse password verification check failed:
> Password mismatch
There are several bugs dealing with what you are doing. They are
currently in the works and will be fixed in a future release of Dovecot.
1) Crypt hashes should not have the {...} prefix. The $2a$ is the
prefix that specifies the Eksblowfish crypt hash, just like $1$
specifies the MD5 crypt hash. doveadm blindly puts the {...} in front
of all hashes, which is a bug. When the program goes to verify the
hash, it passes the entire string including the {...} part to crypt,
which fails, since it does not know what to do with it.
2) The Eksblowfish hash (the $2a$) was originally written on OpenBSD by
Niels Provos and David Mazi?res and was called Bcrypt (Bcrypt is the
correct name, not BLF-CRYPT as is used in Dovecot). It was rewritten by
Alexander Peslyak. This rewritten version became more popular with
Linux distros. This version, however, turned out to have a bug, which
Peslyak later fixed, but it means that $2a$ hashes were incompatible
based on which library they used: the original OpenBSD, or the buggy
Peslyak one. A new hash type, $2y was used to specify the correct hash.
Even OpenBSD switched to the new system to maintain compatibility,
even though their original libraries were correct.
Depending on whether your Eksblowfish (Bcrypt) libraries have been
updated or not, there could be a problem with the $2a$ hash.
First try to remove the {BLF-CRYPT} from your hash. It is not needed,
and may be enough for it to verify. If it still does not verify, then
you may have an issue with your crypt libraries. You might, then try
changing the $2a$ to $2y$ and see if that makes the Eksblowfish
libraries happy.
Dem