On 2/13/19 8:30 AM, Aki Tuomi wrote:> On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote: >> >> On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote: >>> >>> Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz >>> <rgm at htt-consult.com>: >>> >>>> On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote: >>>>> Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot: >>>>>> I have trying to find how to set the dovecot-sql.conf for using >>>>>> SHA256/512.? I am going to start clean with the stronger format, not >>>>>> migrate from the old MD5.? It seems all I need is: >>>>> you maybe would like to have a look to the hashing algo ARGON2I >>>>> which is >>>>> currently recommended for new developments and deployments. >>>> Recommended by whom? >>>> >>>> Can you provide a link? >>> Sure, please see here: >>> https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet >>> >>>> >>>> And if I was adventurous about hashes, I would be looking more at >>>> Keccak. >>>> >>>> >>>> Check out my Internet Draft: >>>> >>>> >>>> draft-moskowitz-small-crypto-00.txt >>> Thanks for the tip, will have a look for into it. >> Keccak is a general hashing function.? It was the first? of the >> hashing 'sponge' functions, that many have followed.? It is the basis >> of SHA3 (at Keccak's greatest strength). >> >> Argon2 seems to be special-built for password hashing.? Thing is it is >> not supported on my CentOS7 system: >> >> # doveadm pw -l >> MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN >> CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 >> PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT >> SHA256-CRYPT SHA512-CRYPT >> >> Of course SHA3 is not listed either... >> >> > ARGON2 support is added in dovecot v2.3. It also needs to be enabled > when compiling dovecot, so varying from packagers it might or not be > available. The CRYPT ones are available if crypt(3) supports them. In > dovecot v2.3 we have added bcrypt support regardless of crypt(3) support.CentOS7 is on dovecot 2.2.36: # doveadm pw -s ARGON2-CRYPT -p secret Fatal: Unknown scheme: ARGON2-CRYPT # doveadm pw -s ARGON2 -p secret Fatal: Unknown scheme: ARGON2 I tend to stay with the distro's rpms and not take on building and maintaining myself.
> Le 13 f?vr. 2019 ? 14:54, Robert Moskowitz via dovecot <dovecot at dovecot.org> a ?crit : > > > > On 2/13/19 8:30 AM, Aki Tuomi wrote: >> On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote: >>> >>> On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote: >>>> >>>> Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz >>>> <rgm at htt-consult.com>: >>>> >>>>> On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote: >>>>>> Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot: >>>>>>> I have trying to find how to set the dovecot-sql.conf for using >>>>>>> SHA256/512. I am going to start clean with the stronger format, not >>>>>>> migrate from the old MD5. It seems all I need is: >>>>>> you maybe would like to have a look to the hashing algo ARGON2I >>>>>> which is >>>>>> currently recommended for new developments and deployments. >>>>> Recommended by whom? >>>>> >>>>> Can you provide a link? >>>> Sure, please see here: >>>> https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet >>>> >>>>> >>>>> And if I was adventurous about hashes, I would be looking more at >>>>> Keccak. >>>>> >>>>> >>>>> Check out my Internet Draft: >>>>> >>>>> >>>>> draft-moskowitz-small-crypto-00.txt >>>> Thanks for the tip, will have a look for into it. >>> Keccak is a general hashing function. It was the first? of the >>> hashing 'sponge' functions, that many have followed. It is the basis >>> of SHA3 (at Keccak's greatest strength). >>> >>> Argon2 seems to be special-built for password hashing. Thing is it is >>> not supported on my CentOS7 system: >>> >>> # doveadm pw -l >>> MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN >>> CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 >>> PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT >>> SHA256-CRYPT SHA512-CRYPT >>> >>> Of course SHA3 is not listed either... >>> >>> >> ARGON2 support is added in dovecot v2.3. It also needs to be enabled >> when compiling dovecot, so varying from packagers it might or not be >> available. The CRYPT ones are available if crypt(3) supports them. In >> dovecot v2.3 we have added bcrypt support regardless of crypt(3) support. > > CentOS7 is on dovecot 2.2.36: > > # doveadm pw -s ARGON2-CRYPT -p secret > Fatal: Unknown scheme: ARGON2-CRYPT > # doveadm pw -s ARGON2 -p secret > Fatal: Unknown scheme: ARGON2 > > I tend to stay with the distro's rpms and not take on building and maintaining myself.And for the record, the hash names are ARGON2I and ARGON2ID (see doveadm pw -l ) With dovecot from the dovecot.org repo: # doveadm pw -s ARGON2I -p secret {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190213/2c79a1c0/attachment.html>
On 2/13/19 10:53 AM, Jean-Daniel Dupas via dovecot wrote:> > >> Le 13 f?vr. 2019 ? 14:54, Robert Moskowitz via dovecot >> <dovecot at dovecot.org <mailto:dovecot at dovecot.org>> a ?crit : >> >> >> >> On 2/13/19 8:30 AM, Aki Tuomi wrote: >>> On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote: >>>> >>>> On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote: >>>>> >>>>> Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz >>>>> <rgm at htt-consult.com <mailto:rgm at htt-consult.com>>: >>>>> >>>>>> On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote: >>>>>>> Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot: >>>>>>>> I have trying to find how to set the dovecot-sql.conf for using >>>>>>>> SHA256/512.? I am going to start clean with the stronger >>>>>>>> format, not >>>>>>>> migrate from the old MD5.? It seems all I need is: >>>>>>> you maybe would like to have a look to the hashing algo ARGON2I >>>>>>> which is >>>>>>> currently recommended for new developments and deployments. >>>>>> Recommended by whom? >>>>>> >>>>>> Can you provide a link? >>>>> Sure, please see here: >>>>> https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet >>>>> >>>>>> >>>>>> And if I was adventurous about hashes, I would be looking more at >>>>>> Keccak. >>>>>> >>>>>> >>>>>> Check out my Internet Draft: >>>>>> >>>>>> >>>>>> draft-moskowitz-small-crypto-00.txt >>>>> Thanks for the tip, will have a look for into it. >>>> Keccak is a general hashing function.? It was the first? of the >>>> hashing 'sponge' functions, that many have followed.? It is the basis >>>> of SHA3 (at Keccak's greatest strength). >>>> >>>> Argon2 seems to be special-built for password hashing. Thing is it is >>>> not supported on my CentOS7 system: >>>> >>>> # doveadm pw -l >>>> MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN >>>> CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 >>>> PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT >>>> SHA256-CRYPT SHA512-CRYPT >>>> >>>> Of course SHA3 is not listed either... >>>> >>>> >>> ARGON2 support is added in dovecot v2.3. It also needs to be enabled >>> when compiling dovecot, so varying from packagers it might or not be >>> available. The CRYPT ones are available if crypt(3) supports them. In >>> dovecot v2.3 we have added bcrypt support regardless of crypt(3) >>> support. >> >> CentOS7 is on dovecot 2.2.36: >> >> # doveadm pw -s ARGON2-CRYPT -p secret >> Fatal: Unknown scheme: ARGON2-CRYPT >> # doveadm pw -s ARGON2 -p secret >> Fatal: Unknown scheme: ARGON2 >> >> I tend to stay with the distro's rpms and not take on building and >> maintaining myself. > > And for the record, the hash names are?ARGON2I and ARGON2ID (see > doveadm pw -l ) > > With dovecot from the dovecot.org <http://dovecot.org> repo: > > # doveadm?pw?-s?ARGON2I?-p?secret > {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk >For those with dovecot v 2.3.... I will note this for the future. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190213/731b7894/attachment-0001.html>
Jean-Daniel Dupas via dovecot wrote:> > >> Le 13 f?vr. 2019 ? 14:54, Robert Moskowitz via dovecot >> <dovecot at dovecot.org <mailto:dovecot at dovecot.org>> a ?crit : >> >> >> >> On 2/13/19 8:30 AM, Aki Tuomi wrote: >>> On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote: >>>> >>>> On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote: >>>>> >>>>> Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz >>>>> <rgm at htt-consult.com <mailto:rgm at htt-consult.com>>: >>>>> >>>>>> On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote: >>>>>>> Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot: >>>>>>>> I have trying to find how to set the dovecot-sql.conf for using >>>>>>>> SHA256/512.? I am going to start clean with the stronger format, not >>>>>>>> migrate from the old MD5.? It seems all I need is: >>>>>>> you maybe would like to have a look to the hashing algo ARGON2I >>>>>>> which is >>>>>>> currently recommended for new developments and deployments. >>>>>> Recommended by whom? >>>>>> >>>>>> Can you provide a link? >>>>> Sure, please see here: >>>>> https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet >>>>> >>>>>> >>>>>> And if I was adventurous about hashes, I would be looking more at >>>>>> Keccak. >>>>>> >>>>>> >>>>>> Check out my Internet Draft: >>>>>> >>>>>> >>>>>> draft-moskowitz-small-crypto-00.txt >>>>> Thanks for the tip, will have a look for into it. >>>> Keccak is a general hashing function.? It was the first? of the >>>> hashing 'sponge' functions, that many have followed.? It is the basis >>>> of SHA3 (at Keccak's greatest strength). >>>> >>>> Argon2 seems to be special-built for password hashing.? Thing is it is >>>> not supported on my CentOS7 system: >>>> >>>> # doveadm pw -l >>>> MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN >>>> CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 >>>> PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT >>>> SHA256-CRYPT SHA512-CRYPT >>>> >>>> Of course SHA3 is not listed either... >>>> >>>> >>> ARGON2 support is added in dovecot v2.3. It also needs to be enabled >>> when compiling dovecot, so varying from packagers it might or not be >>> available. The CRYPT ones are available if crypt(3) supports them. In >>> dovecot v2.3 we have added bcrypt support regardless of crypt(3) support. >> >> CentOS7 is on dovecot 2.2.36: >> >> # doveadm pw -s ARGON2-CRYPT -p secret >> Fatal: Unknown scheme: ARGON2-CRYPT >> # doveadm pw -s ARGON2 -p secret >> Fatal: Unknown scheme: ARGON2 >> >> I tend to stay with the distro's rpms and not take on building and >> maintaining myself. > > And for the record, the hash names are?ARGON2I and ARGON2ID (see doveadm > pw -l ) > > With dovecot from the dovecot.org <http://dovecot.org> repo: > > # doveadm?pw?-s?ARGON2I?-p?secret > {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntkAlso from dovecot.org <http://dovecot.org> repo: doveadm pw -s ARGON2I -p secret Fatal: Unknown scheme: ARGON2I ???? Marc