Hi folks. I've recently set up a Postfix 2.9.6/Dovecot 2.0.19 IMAPS/SMTPS setup on Ubuntu 12.04.2 (Mysql backend). I'm new to all this, so I apologize if this is fairly basic. I've attempted to the best of my ability to search for an answer, but no luck so far. What I'm trying to do is generate a password hash that I can inject directly into my Mysql database (disaster recovery sort of situation). Towards that goal, I'm trying to use 'doveadm pw' to generate a hash that matches a known password in my database. Unfortunately, I'm coming up empty. My default_pass_scheme in dovecot-sql.conf is set to MD5-CRYPT, and the passwords in the database have no scheme prefixes. I'm attempting to generate a hash with: sudo doveadm pw -s 'MD5-CRYPT' but the hash generated does not match the user's password hash in the database, which is known to be a good password. I'm able to log into this account successfully in both Roundcube and a remote IMAP client. I've also tried using the -p flag and including the password in the command, and that doesn't do it either, though it oddly gives a different response than using the prompt. (What causes this? Newlines?) So... what am I missing? If the hash was salted, it would seem the hashes in the database would be longer than the ones generated at the command line, but that isn't the case. I'm out of ideas. Any guidance appreciated. -Dave
Professa Dementia
2013-Apr-14 03:32 UTC
[Dovecot] How to manually generate a password hash
On 4/13/2013 7:10 PM, David Murphy wrote:> Hi folks. I've recently set up a Postfix 2.9.6/Dovecot 2.0.19 IMAPS/SMTPS setup on Ubuntu 12.04.2 (Mysql backend). I'm new to all this, so I apologize if this is fairly basic. I've attempted to the best of my ability to search for an answer, but no luck so far. > > What I'm trying to do is generate a password hash that I can inject directly into my Mysql database (disaster recovery sort of situation). Towards that goal, I'm trying to use 'doveadm pw' to generate a hash that matches a known password in my database. Unfortunately, I'm coming up empty. > > My default_pass_scheme in dovecot-sql.conf is set to MD5-CRYPT, and the passwords in the database have no scheme prefixes. I'm attempting to generate a hash with: > > sudo doveadm pw -s 'MD5-CRYPT' > > but the hash generated does not match the user's password hash in the database, which is known to be a good password. I'm able to log into this account successfully in both Roundcube and a remote IMAP client. I've also tried using the -p flag and including the password in the command, and that doesn't do it either, though it oddly gives a different response than using the prompt. (What causes this? Newlines?) > > So... what am I missing? If the hash was salted, it would seem the hashes in the database would be longer than the ones generated at the command line, but that isn't the case. I'm out of ideas. Any guidance appreciated. > > -Dave > >Can you post one of your hashes? Dem
Am 14.04.2013 04:10, schrieb David Murphy:> Hi folks. I've recently set up a Postfix 2.9.6/Dovecot 2.0.19 IMAPS/SMTPS setup on Ubuntu 12.04.2 (Mysql backend). I'm new to all this, so I apologize if this is fairly basic. I've attempted to the best of my ability to search for an answer, but no luck so far. > > What I'm trying to do is generate a password hash that I can inject directly into my Mysql database (disaster recovery sort of situation). Towards that goal, I'm trying to use 'doveadm pw' to generate a hash that matches a known password in my database. Unfortunately, I'm coming up empty. > > My default_pass_scheme in dovecot-sql.conf is set to MD5-CRYPT, and the passwords in the database have no scheme prefixes. I'm attempting to generate a hash with: > > sudo doveadm pw -s 'MD5-CRYPT' > > but the hash generated does not match the user's password hash in the database, which is known to be a good password.*-CRYPT hashes are salted. Hence it is intended, that hashes differ. $ doveadm pw -s 'MD5-CRYPT' -p test {MD5-CRYPT}$1$s3UfgF6q$YRupP9GlEcaU5CYUOfkFl0 $ doveadm pw -s 'MD5-CRYPT' -p test {MD5-CRYPT}$1$yVZQVf8U$aaguS/rkQOJXu29V76nUl/> I've also tried using the -p flag and including the password in the command, and that doesn't do it either, though it oddly gives a different response than using the prompt. (What causes this? Newlines?)I don't understand what you are trying to say here... - Ren?
Professa Dementia
2013-Apr-14 10:24 UTC
[Dovecot] How to manually generate a password hash
On 4/13/2013 7:10 PM, David Murphy wrote:> Hi folks. I've recently set up a Postfix 2.9.6/Dovecot 2.0.19 IMAPS/SMTPS setup on Ubuntu 12.04.2 (Mysql backend). I'm new to all this, so I apologize if this is fairly basic. I've attempted to the best of my ability to search for an answer, but no luck so far. > > What I'm trying to do is generate a password hash that I can inject directly into my Mysql database (disaster recovery sort of situation). Towards that goal, I'm trying to use 'doveadm pw' to generate a hash that matches a known password in my database. Unfortunately, I'm coming up empty. > > My default_pass_scheme in dovecot-sql.conf is set to MD5-CRYPT, and the passwords in the database have no scheme prefixes. I'm attempting to generate a hash with: > > sudo doveadm pw -s 'MD5-CRYPT' > > but the hash generated does not match the user's password hash in the database, which is known to be a good password. I'm able to log into this account successfully in both Roundcube and a remote IMAP client. I've also tried using the -p flag and including the password in the command, and that doesn't do it either, though it oddly gives a different response than using the prompt. (What causes this? Newlines?) > > So... what am I missing? If the hash was salted, it would seem the hashes in the database would be longer than the ones generated at the command line, but that isn't the case. I'm out of ideas. Any guidance appreciated. > > -Dave > >1) If your passwords are of the format $1$..., then they are in standard crypt md5 format. They are salted. The salt is between the second and third $ and the actual hash follows the third $. 2) The version of Dovecot you are running has several bugs in "doveadm pw" that you might be encountering. This will prevent you from verifying the hashes. Some of these have been fixed in the current release. Try the following command. This should give you a "verified" response on a patched version of doveadm. (NOTE this command is all on one line, but may wrap in the email). doveadm pw -s MD5-CRYPT -p abc123 -t '$1$85P5.CAv$tqx.O2iZwnIZjuMQ7fo6m1' It should reply: $1$85P5.CAv$tqx.O2iZwnIZjuMQ7fo6m1 (verified) Or possibly (depending on the version of dovecot you run): {MD5-CRYPT}$1$85P5.CAv$tqx.O2iZwnIZjuMQ7fo6m1 (verified) If you do not get one of the above responses to the test, you should upgrade, since your doveadm is broken. To test your hashes, use the above command format substituting your password after -p and your hash after -t. This is only if your hashes begin with $1$..., however. If they do not, then they are not in crypt md5 format and you will need to figure out what format they are. Once again, however, you need to be running at least 2.1.17, I believe, or maybe a recent release of 2.2 that has the doveadm patches. Dem
David Murphy writes: http://en.wikipedia.org/wiki/Salt_%28cryptography%29> So... what am I missing? If the hash was salted, it would seem the > hashes in the database would be longer than the ones generated at the > command line, but that isn't the case. I'm out of ideas. Any guidance > appreciated.The hashes are salted, and that is why the hashes are different, even though the same password is used. (Test it by using the output of "doveadm pw" and plugging it into your test account). The hashes ought to be the same length. The out would be proportional to the length of your input password if the were encrypting, rathher than hashing. But the length of the hash is consant + encoded(salt) + encoded (hash(password)), all of which ought to be fixed lengths. Joseph Tam <jtam.home at gmail.com>