>> Maybe, Dovecot could just add support for BLF-CRYPT by using the open source implementation of Blowfish hashing found in https://github.com/php/php-src/tree/master/ext/standard <https://github.com/php/php-src/tree/master/ext/standard>. The implementation looks like a single function to generate the hash. I?m not much of a programmer, but it would seem to me that these .c/.h files could be added to Dovecot for doing BLF-CRYPT hashing. >> > It already does. As previously stated.It doesn?t for me. I?m building Dovecot from source (v2.2.24) in a Docker container using Ubuntu 14.04. Does BLF-CRYPT work for you? Maybe I?m not building Dovecot correctly. I install libssl-dev and libmysqlclient-dev and do: $ ./configure --prefix=/usr --sysconfdir=/etc --with-mysql $ make $ make install Am I missing some library/switch to enable BLF-CRYPT? I just did a quick Google search, and it appears that Ubuntu 14.04 doesn?t have support for BLF-CRYPT according to this issue: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1349252 <https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1349252> Actually, now that I?ve researched this a bit more, it was a mistake for my PHP app to make BLF-CRYPT password hashes since SHA512-CRYPT with a high number of rounds should be just as good. If Ubuntu 16.04 didn't add support for BLF-CRYPT, I guess I will have to implement a Checkpassword script for Dovecot that might generate SHA512-CRYPT replacement hashes after successfully checking against the BLF-CRYPT hashes. I?m no Dovecot expert, but I think I can have multiple passdbs so the first passdb mysql lookup will be set to fail if it finds a BLF-CRYPT hash so the Checkpassword script would only be run once per failed mysql lookup. Hopefully, I just missed some ./configure switch to enable BLF-CRYPT and don?t have to deal with converting BLF-CRYPT to SHA512-CRYPT just for Dovecot. Kevin> On Jun 5, 2016, at 7:43 PM, Edgar Pettijohn <edgar at pettijohn-web.com> wrote: > > > > Sent from my iPhone > > On Jun 5, 2016, at 6:16 PM, KT Walrus <kevin at my.walr.us> wrote: > >>> I would love to know why your ubuntu 14.04 system doesn't support sha512-crypt. >> >> I just tried SHA512-CRYPT and it is supported on Ubuntu 14.04. I think I was thinking about DBMail instead of Dovecot. >> >> I could really use support for BLF-CRYPT since my current password hashes generated by PHP are using Blowfish encryption. >> >> Maybe, Dovecot could just add support for BLF-CRYPT by using the open source implementation of Blowfish hashing found in https://github.com/php/php-src/tree/master/ext/standard <https://github.com/php/php-src/tree/master/ext/standard>. The implementation looks like a single function to generate the hash. I?m not much of a programmer, but it would seem to me that these .c/.h files could be added to Dovecot for doing BLF-CRYPT hashing. >> > It already does. As previously stated. > > >> This would mean all installations of Dovecot going forward would support BLF-CRYPT regardless of whether the crypt libraries have Blowfish built in. >> >> Kevin >> >>> On Jun 4, 2016, at 9:53 AM, Patrick Domack <patrickdk at patrickdk.com> wrote: >>> >>> >>> Quoting KT Walrus <kevin at my.walr.us <mailto:kevin at my.walr.us>>: >>> >>>> (I subscribed to a daily digest for this list and can?t figure out how to reply to a reply.) >>>> >>>> Anyway, Aki Tuomi replied to my feature request saying: >>>> >>>>> We support in latest 2.2 release >>>>> >>>>> MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN >>>>> CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 >>>>> PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA CRYPT SHA256-CRYPT >>>>> SHA512-CRYPT >>>>> >>>>> There is also blowfish support as BLF-CRYPT, but that requires that your >>>>> system supports it. CRYPT supports whatever your crypt() supports. >>>> >>>> The reason I suggest building in fallback hash type support is that my install of Dovecot on Ubuntu 14.04 didn?t support SHA512-CRYPT or BLF-CRYPT. >>>> >>>> If Dovecot just included the PHP .c files to make sure it can process Blowfish/SHA512 password hashes on all installs, it would greatly simplify adding Dovecot as a service for my existing user accounts (without forcing them to give their password for the site so I can generate new hashes in a form that Dovecot supports). SHA256-CRYPT is probably my best option for password hashing since it supports ROUNDS to make hash generation slower. But, I would rather use BLF-CRYPT so I can re-use my existing hashes for my user accounts. >>> >>> I would love to know why your ubuntu 14.04 system doesn't support sha512-crypt. >>> >>> My dovecot installs have only ever used sha512-crypt since 2008. Been using ubuntu since 7.04 with sha512-crypt, and my current systems running 14.04 and 16.04 both use sha512-crypt. >>> >>> The default password hash for system user accounts in ubuntu has been sha512-crypt for a very long time now.
On 16-06-05 20:36:35, KT Walrus wrote:> >> Maybe, Dovecot could just add support for BLF-CRYPT by using the open source implementation of Blowfish hashing found in https://github.com/php/php-src/tree/master/ext/standard <https://github.com/php/php-src/tree/master/ext/standard>. The implementation looks like a single function to generate the hash. I???m not much of a programmer, but it would seem to me that these .c/.h files could be added to Dovecot for doing BLF-CRYPT hashing. > >> > > It already does. As previously stated. > > It doesn???t for me. I???m building Dovecot from source (v2.2.24) in a Docker container using Ubuntu 14.04. > > Does BLF-CRYPT work for you?Yes, but I don't use ubuntu.> > Maybe I???m not building Dovecot correctly. I install libssl-dev and libmysqlclient-dev and do: > > $ ./configure --prefix=/usr --sysconfdir=/etc --with-mysql > $ make > $ make install > > Am I missing some library/switch to enable BLF-CRYPT?Does your libc support it? $ man crypt || $ man bcrypt> > I just did a quick Google search, and it appears that Ubuntu 14.04 doesn???t have support for BLF-CRYPT according to this issue: > > https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1349252 <https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1349252> > > Actually, now that I???ve researched this a bit more, it was a mistake for my PHP app to make BLF-CRYPT password hashes since SHA512-CRYPT with a high number of rounds should be just as good. If Ubuntu 16.04 didn't add support for BLF-CRYPT, I guess I will have to implement a Checkpassword script for Dovecot that might generate SHA512-CRYPT replacement hashes after successfully checking against the BLF-CRYPT hashes. I???m no Dovecot expert, but I think I can have multiple passdbs so the first passdb mysql lookup will be set to fail if it finds a BLF-CRYPT hash so the Checkpassword script would only be run once per failed mysql lookup. >Changing your php app will probably be the easiest solution.> Hopefully, I just missed some ./configure switch to enable BLF-CRYPT and don???t have to deal with converting BLF-CRYPT to SHA512-CRYPT just for Dovecot. > > Kevin > > > > On Jun 5, 2016, at 7:43 PM, Edgar Pettijohn <edgar at pettijohn-web.com> wrote: > > > > > > > > Sent from my iPhone > > > > On Jun 5, 2016, at 6:16 PM, KT Walrus <kevin at my.walr.us> wrote: > > > >>> I would love to know why your ubuntu 14.04 system doesn't support sha512-crypt. > >> > >> I just tried SHA512-CRYPT and it is supported on Ubuntu 14.04. I think I was thinking about DBMail instead of Dovecot. > >> > >> I could really use support for BLF-CRYPT since my current password hashes generated by PHP are using Blowfish encryption. > >> > >> Maybe, Dovecot could just add support for BLF-CRYPT by using the open source implementation of Blowfish hashing found in https://github.com/php/php-src/tree/master/ext/standard <https://github.com/php/php-src/tree/master/ext/standard>. The implementation looks like a single function to generate the hash. I???m not much of a programmer, but it would seem to me that these .c/.h files could be added to Dovecot for doing BLF-CRYPT hashing. > >> > > It already does. As previously stated. > > > > > >> This would mean all installations of Dovecot going forward would support BLF-CRYPT regardless of whether the crypt libraries have Blowfish built in. > >> > >> Kevin > >> > >>> On Jun 4, 2016, at 9:53 AM, Patrick Domack <patrickdk at patrickdk.com> wrote: > >>> > >>> > >>> Quoting KT Walrus <kevin at my.walr.us <mailto:kevin at my.walr.us>>: > >>> > >>>> (I subscribed to a daily digest for this list and can???t figure out how to reply to a reply.) > >>>> > >>>> Anyway, Aki Tuomi replied to my feature request saying: > >>>> > >>>>> We support in latest 2.2 release > >>>>> > >>>>> MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN > >>>>> CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 > >>>>> PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA CRYPT SHA256-CRYPT > >>>>> SHA512-CRYPT > >>>>> > >>>>> There is also blowfish support as BLF-CRYPT, but that requires that your > >>>>> system supports it. CRYPT supports whatever your crypt() supports. > >>>> > >>>> The reason I suggest building in fallback hash type support is that my install of Dovecot on Ubuntu 14.04 didn???t support SHA512-CRYPT or BLF-CRYPT. > >>>> > >>>> If Dovecot just included the PHP .c files to make sure it can process Blowfish/SHA512 password hashes on all installs, it would greatly simplify adding Dovecot as a service for my existing user accounts (without forcing them to give their password for the site so I can generate new hashes in a form that Dovecot supports). SHA256-CRYPT is probably my best option for password hashing since it supports ROUNDS to make hash generation slower. But, I would rather use BLF-CRYPT so I can re-use my existing hashes for my user accounts. > >>> > >>> I would love to know why your ubuntu 14.04 system doesn't support sha512-crypt. > >>> > >>> My dovecot installs have only ever used sha512-crypt since 2008. Been using ubuntu since 7.04 with sha512-crypt, and my current systems running 14.04 and 16.04 both use sha512-crypt. > >>> > >>> The default password hash for system user accounts in ubuntu has been sha512-crypt for a very long time now.-- Edgar Pettijohn
> Changing your php app will probably be the easiest solution.Since I?m using Docker, the easiest solution for me is to find a linux distro that can run Dovecot well and supports BLF-CRYPT as well. What Linux distros support BLF-CRYPT and are well tested and secure?> On Jun 5, 2016, at 8:54 PM, Edgar Pettijohn <edgar at pettijohn-web.com> wrote: > > On 16-06-05 20:36:35, KT Walrus wrote: >>>> Maybe, Dovecot could just add support for BLF-CRYPT by using the open source implementation of Blowfish hashing found in https://github.com/php/php-src/tree/master/ext/standard <https://github.com/php/php-src/tree/master/ext/standard>. The implementation looks like a single function to generate the hash. I???m not much of a programmer, but it would seem to me that these .c/.h files could be added to Dovecot for doing BLF-CRYPT hashing. >>>> >>> It already does. As previously stated. >> >> It doesn???t for me. I???m building Dovecot from source (v2.2.24) in a Docker container using Ubuntu 14.04. >> >> Does BLF-CRYPT work for you? > > Yes, but I don't use ubuntu. > >> >> Maybe I???m not building Dovecot correctly. I install libssl-dev and libmysqlclient-dev and do: >> >> $ ./configure --prefix=/usr --sysconfdir=/etc --with-mysql >> $ make >> $ make install >> >> Am I missing some library/switch to enable BLF-CRYPT? > > Does your libc support it? > > $ man crypt || $ man bcrypt > >> >> I just did a quick Google search, and it appears that Ubuntu 14.04 doesn???t have support for BLF-CRYPT according to this issue: >> >> https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1349252 <https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1349252> <https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1349252 <https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1349252>> >> >> Actually, now that I???ve researched this a bit more, it was a mistake for my PHP app to make BLF-CRYPT password hashes since SHA512-CRYPT with a high number of rounds should be just as good. If Ubuntu 16.04 didn't add support for BLF-CRYPT, I guess I will have to implement a Checkpassword script for Dovecot that might generate SHA512-CRYPT replacement hashes after successfully checking against the BLF-CRYPT hashes. I???m no Dovecot expert, but I think I can have multiple passdbs so the first passdb mysql lookup will be set to fail if it finds a BLF-CRYPT hash so the Checkpassword script would only be run once per failed mysql lookup. >> > > Changing your php app will probably be the easiest solution. > >> Hopefully, I just missed some ./configure switch to enable BLF-CRYPT and don???t have to deal with converting BLF-CRYPT to SHA512-CRYPT just for Dovecot. >> >> Kevin >> >> >>> On Jun 5, 2016, at 7:43 PM, Edgar Pettijohn <edgar at pettijohn-web.com> wrote: >>> >>> >>> >>> Sent from my iPhone >>> >>> On Jun 5, 2016, at 6:16 PM, KT Walrus <kevin at my.walr.us> wrote: >>> >>>>> I would love to know why your ubuntu 14.04 system doesn't support sha512-crypt. >>>> >>>> I just tried SHA512-CRYPT and it is supported on Ubuntu 14.04. I think I was thinking about DBMail instead of Dovecot. >>>> >>>> I could really use support for BLF-CRYPT since my current password hashes generated by PHP are using Blowfish encryption. >>>> >>>> Maybe, Dovecot could just add support for BLF-CRYPT by using the open source implementation of Blowfish hashing found in https://github.com/php/php-src/tree/master/ext/standard <https://github.com/php/php-src/tree/master/ext/standard>. The implementation looks like a single function to generate the hash. I???m not much of a programmer, but it would seem to me that these .c/.h files could be added to Dovecot for doing BLF-CRYPT hashing. >>>> >>> It already does. As previously stated. >>> >>> >>>> This would mean all installations of Dovecot going forward would support BLF-CRYPT regardless of whether the crypt libraries have Blowfish built in. >>>> >>>> Kevin >>>> >>>>> On Jun 4, 2016, at 9:53 AM, Patrick Domack <patrickdk at patrickdk.com> wrote: >>>>> >>>>> >>>>> Quoting KT Walrus <kevin at my.walr.us <mailto:kevin at my.walr.us>>: >>>>> >>>>>> (I subscribed to a daily digest for this list and can???t figure out how to reply to a reply.) >>>>>> >>>>>> Anyway, Aki Tuomi replied to my feature request saying: >>>>>> >>>>>>> We support in latest 2.2 release >>>>>>> >>>>>>> MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN >>>>>>> CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 >>>>>>> PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA CRYPT SHA256-CRYPT >>>>>>> SHA512-CRYPT >>>>>>> >>>>>>> There is also blowfish support as BLF-CRYPT, but that requires that your >>>>>>> system supports it. CRYPT supports whatever your crypt() supports. >>>>>> >>>>>> The reason I suggest building in fallback hash type support is that my install of Dovecot on Ubuntu 14.04 didn???t support SHA512-CRYPT or BLF-CRYPT. >>>>>> >>>>>> If Dovecot just included the PHP .c files to make sure it can process Blowfish/SHA512 password hashes on all installs, it would greatly simplify adding Dovecot as a service for my existing user accounts (without forcing them to give their password for the site so I can generate new hashes in a form that Dovecot supports). SHA256-CRYPT is probably my best option for password hashing since it supports ROUNDS to make hash generation slower. But, I would rather use BLF-CRYPT so I can re-use my existing hashes for my user accounts. >>>>> >>>>> I would love to know why your ubuntu 14.04 system doesn't support sha512-crypt. >>>>> >>>>> My dovecot installs have only ever used sha512-crypt since 2008. Been using ubuntu since 7.04 with sha512-crypt, and my current systems running 14.04 and 16.04 both use sha512-crypt. >>>>> >>>>> The default password hash for system user accounts in ubuntu has been sha512-crypt for a very long time now. > > -- > Edgar Pettijohn