I'm trying to configure SSHA512 passwords and when testing discovered
that they were not working as expected.
At first i was using Centos 6.4 which doesn't have the glibc CRYPT
newest functions ($6$salt$pass) so had to rollback to the Dovecot format
({SSHA512.HEX}saltedpassword+salt ) but I'm unable to let dovecot
authenticate properly.
Some logs and details:
Apr 16 02:55:37 auth: Debug: client in: AUTH 1 PLAIN
service=imap lip=xxx rip=xxx lport=143 rport=58171
resp=AGRpbm9AYWJjLml0AGRpbm8Apr 16 02:55:37 auth: Debug: sql(dino at
abc.it,xxxx): query: SELECT
'{SSHA512.HEX}' || password as password FROM mailboxes WHERE
fullusername='dino at abc.it'
Apr 16 02:55:37 auth: Info: sql(dino at abc.it,xxxx): Password mismatch
(given password: dino)
Apr 16 02:55:37 auth: Error: md5_verify(dino at abc.it): Not a valid
MD5-CRYPT or PLAIN-MD5 password
Apr 16 02:55:37 auth: Warning: Invalid OTP data in passdb
Apr 16 02:55:37 auth: Warning: Invalid OTP data in passdb
Apr 16 02:55:37 auth: Debug: sql(dino at abc.it,xxxx): SSHA512.HEX(dino) !=
'd449914d83c85a786bcde7114b3dfdb24a651c27956388ac641d46eaf40c86e7c95ce2534348730475c8893eab314af189b3a46bf6d76b82cfba119e920813a531e985acd35c47ca8d3cafe50b595b66'
Apr 16 02:55:39 auth: Debug: client out: FAIL 1 user=dino at abc.it
Full password as taken from database:
{SSHA512.HEX}d449914d83c85a786bcde7114b3dfdb24a651c27956388ac641d46eaf40c86e7c95ce2534348730475c8893eab314af189b3a46bf6d76b82cfba119e920813a531e985acd35c47ca8d3cafe50b595b66
The first 128 chars are the salted password, remaining 32 the salt (hex
uuid representation)
I've checked twice that the generated passwords are correct, in fact if
you salt the password (dino) you get the exact 128chars as in the stored
password but dovecot compares the full password with the salt (160
chars), is this correct?
Any ideas?
On Tue, 2013-04-16 at 03:54 +0200, Marcin Czupryniak wrote:> I'm trying to configure SSHA512 passwords and when testing discovered > that they were not working as expected. > At first i was using Centos 6.4 which doesn't have the glibc CRYPT > newest functions ($6$salt$pass) so had to rollback to the Dovecot format > ({SSHA512.HEX}saltedpassword+salt ) but I'm unable to let dovecot > authenticate properly. >I have one CentOS server (5.9) and only one, so can't test any others (they are all slackware) but... crypt($pass, '$6$' . $salt) "dino", results in: $6$n.vM3bqg3C6LPtJv $keF2z/6VXv99NKf92Abbz/sPLBcWHV2hBXOkDf41OKLqe9p7V39xcFc92K1S4WvWQ3rK0konAw.pV.YEQspuM. So if 6.4 does not work, you are missing something. try this #!/path/to/perl $pass ="dino"; @pschars = ("A" .. "Z", "a" .. "z", 0 .. 9, ".", "/"); $salt= join '', @pschars[map {rand @pschars} (1..16)]; $sha512p = crypt($pass, '$6$' . $salt); print "\n $sha512p \n"; -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20130416/68f865e9/attachment.bin>