dovecot - Apr 2013 - How to manually generate a password hash

Hi folks. I've recently set up a Postfix 2.9.6/Dovecot 2.0.19 IMAPS/SMTPS
setup on Ubuntu 12.04.2 (Mysql backend). I'm new to all this, so I apologize
if this is fairly basic. I've attempted to the best of my ability to search
for an answer, but no luck so far.

What I'm trying to do is generate a password hash that I can inject directly
into my Mysql database (disaster recovery sort of situation). Towards that goal,
I'm trying to use 'doveadm pw' to generate a hash that matches a
known password in my database. Unfortunately, I'm coming up empty.

My default_pass_scheme in dovecot-sql.conf is set to MD5-CRYPT, and the
passwords in the database have no scheme prefixes. I'm attempting to
generate a hash with:

  sudo doveadm pw -s 'MD5-CRYPT'

but the hash generated does not match the user's password hash in the
database, which is known to be a good password. I'm able to log into this
account successfully in both Roundcube and a remote IMAP client. I've also
tried using the -p flag and including the password in the command, and that
doesn't do it either, though it oddly gives a different response than using
the prompt. (What causes this? Newlines?)

So... what am I missing? If the hash was salted, it would seem the hashes in the
database would be longer than the ones generated at the command line, but that
isn't the case. I'm out of ideas. Any guidance appreciated.

-Dave

On 4/13/2013 7:10 PM, David Murphy wrote:
> Hi folks. I've recently set up a Postfix 2.9.6/Dovecot 2.0.19
IMAPS/SMTPS setup on Ubuntu 12.04.2 (Mysql backend). I'm new to all this, so
I apologize if this is fairly basic. I've attempted to the best of my
ability to search for an answer, but no luck so far.
>
> What I'm trying to do is generate a password hash that I can inject
directly into my Mysql database (disaster recovery sort of situation). Towards
that goal, I'm trying to use 'doveadm pw' to generate a hash that
matches a known password in my database. Unfortunately, I'm coming up empty.
>
> My default_pass_scheme in dovecot-sql.conf is set to MD5-CRYPT, and the
passwords in the database have no scheme prefixes. I'm attempting to
generate a hash with:
>
>    sudo doveadm pw -s 'MD5-CRYPT'
>
> but the hash generated does not match the user's password hash in the
database, which is known to be a good password. I'm able to log into this
account successfully in both Roundcube and a remote IMAP client. I've also
tried using the -p flag and including the password in the command, and that
doesn't do it either, though it oddly gives a different response than using
the prompt. (What causes this? Newlines?)
>
> So... what am I missing? If the hash was salted, it would seem the hashes
in the database would be longer than the ones generated at the command line, but
that isn't the case. I'm out of ideas. Any guidance appreciated.
>
> -Dave
>   		 	   		
>
Can you post one of your hashes?

Dem

Am 14.04.2013 04:10, schrieb David Murphy:
> Hi folks. I've recently set up a Postfix 2.9.6/Dovecot 2.0.19
IMAPS/SMTPS setup on Ubuntu 12.04.2 (Mysql backend). I'm new to all this, so
I apologize if this is fairly basic. I've attempted to the best of my
ability to search for an answer, but no luck so far.
> 
> What I'm trying to do is generate a password hash that I can inject
directly into my Mysql database (disaster recovery sort of situation). Towards
that goal, I'm trying to use 'doveadm pw' to generate a hash that
matches a known password in my database. Unfortunately, I'm coming up empty.
> 
> My default_pass_scheme in dovecot-sql.conf is set to MD5-CRYPT, and the
passwords in the database have no scheme prefixes. I'm attempting to
generate a hash with:
> 
>   sudo doveadm pw -s 'MD5-CRYPT'
> 
> but the hash generated does not match the user's password hash in the
database, which is known to be a good password.
*-CRYPT hashes are salted. Hence it is intended, that hashes differ.

$ doveadm pw -s 'MD5-CRYPT' -p test
{MD5-CRYPT}$1$s3UfgF6q$YRupP9GlEcaU5CYUOfkFl0
$ doveadm pw -s 'MD5-CRYPT' -p test
{MD5-CRYPT}$1$yVZQVf8U$aaguS/rkQOJXu29V76nUl/
> I've also tried using the -p flag and including the password in the
command, and that doesn't do it either, though it oddly gives a different
response than using the prompt. (What causes this? Newlines?)
I don't understand what you are trying to say here...

- Ren?

On 4/13/2013 7:10 PM, David Murphy wrote:
> Hi folks. I've recently set up a Postfix 2.9.6/Dovecot 2.0.19
IMAPS/SMTPS setup on Ubuntu 12.04.2 (Mysql backend). I'm new to all this, so
I apologize if this is fairly basic. I've attempted to the best of my
ability to search for an answer, but no luck so far.
>
> What I'm trying to do is generate a password hash that I can inject
directly into my Mysql database (disaster recovery sort of situation). Towards
that goal, I'm trying to use 'doveadm pw' to generate a hash that
matches a known password in my database. Unfortunately, I'm coming up empty.
>
> My default_pass_scheme in dovecot-sql.conf is set to MD5-CRYPT, and the
passwords in the database have no scheme prefixes. I'm attempting to
generate a hash with:
>
>    sudo doveadm pw -s 'MD5-CRYPT'
>
> but the hash generated does not match the user's password hash in the
database, which is known to be a good password. I'm able to log into this
account successfully in both Roundcube and a remote IMAP client. I've also
tried using the -p flag and including the password in the command, and that
doesn't do it either, though it oddly gives a different response than using
the prompt. (What causes this? Newlines?)
>
> So... what am I missing? If the hash was salted, it would seem the hashes
in the database would be longer than the ones generated at the command line, but
that isn't the case. I'm out of ideas. Any guidance appreciated.
>
> -Dave
>   		 	   		
>
1) If your passwords are of the format $1$..., then they are in standard 
crypt md5 format.  They are salted.  The salt is between the second and 
third $ and the actual hash follows the third $.

2) The version of Dovecot you are running has several bugs in "doveadm 
pw" that you might be encountering.  This will prevent you from 
verifying the hashes.  Some of these have been fixed in the current release.

Try the following command.  This should give you a "verified" response
on a patched version of doveadm.  (NOTE this command is all on one line, 
but may wrap in the email).

doveadm pw -s MD5-CRYPT -p abc123 -t
'$1$85P5.CAv$tqx.O2iZwnIZjuMQ7fo6m1'


It should reply:

$1$85P5.CAv$tqx.O2iZwnIZjuMQ7fo6m1 (verified)

Or possibly (depending on the version of dovecot you run):

{MD5-CRYPT}$1$85P5.CAv$tqx.O2iZwnIZjuMQ7fo6m1 (verified)



If you do not get one of the above responses to the test, you should 
upgrade, since your doveadm is broken.

To test your hashes, use the above command format substituting your 
password after -p and your hash after -t.  This is only if your hashes 
begin with $1$..., however.  If they do not, then they are not in crypt 
md5 format and you will need to figure out what format they are.

Once again, however, you need to be running at least 2.1.17, I believe, 
or maybe a recent release of 2.2 that has the doveadm patches.

Dem

David Murphy writes:

 	http://en.wikipedia.org/wiki/Salt_%28cryptography%29
> So...  what am I missing? If the hash was salted, it would seem the
> hashes in the database would be longer than the ones generated at the
> command line, but that isn't the case.  I'm out of ideas.  Any
guidance
> appreciated.
The hashes are salted, and that is why the hashes are different, even though
the same password is used.  (Test it by using the output of "doveadm
pw" and
plugging it into your test account).

The hashes ought to be the same length.  The out would be proportional
to the length of your input password if the were encrypting, rathher
than hashing.  But the length of the hash is consant + encoded(salt) +
encoded (hash(password)), all of which ought to be fixed lengths.

Joseph Tam <jtam.home at gmail.com>