[Dovecot] CRYPT scheme and 8 character limit

Pascal Volk user+dovecot at localhost.localdomain.org
Fri May 7 22:11:07 EEST 2010


On 05/07/2010 08:16 PM Phil Howard wrote:
> I've decided that having users supply cleartext passwords for me to encrypt
> and encode is a bad idea, anyway.  So maybe I won't need dovecotpw.  The
> idea is that users supply an already-encrypted password.  Most of the users
> can fetch their login password from /etc/shadow on their own computer.
> 
> Wiki page http://wiki.dovecot.org/Authentication/PasswordSchemes indicates
> that scheme name CRYPT is the one that uses the libc crypt() function.  But
> it also says it uses no more than 8 characters.  Then there is MD5-CRYPT.
> But that doesn't call crypt(), I presume.  No limit on password size is
> indicated.  But this at least looks like SOME of the encrypted passwords I
> have.
> 
> Other passwords I have have ids indicating SHA-256 and SHA-512.  Here is an
> example from /etc/shadow that encrypted the clear password
> "dovecotandpostfix" (in case it is necessary to test it):
> 
> $6$IwZzpjjj$p1VrkxQmgmTED8iQnQrV3sVEZpBmw2N8oD1ykOguXB5tf8aahICesX0TF6.VMThIW2QFs1buHjT3eDtnaAFhF1
> 
> The big question is, what scheme name should I use for these passwords?  I
> can, of course, consider the id (6 in the above example, suggesting SHA-512)
> if there is one (so far all are like this).  But the other consideration is
> most of the passwords are longer than 8, some longer than 12, characters.
> So apparently CRYPT can't be used in those cases (so I can't have the
> automatic identification of crypt() to detect the scheme).
> 
> What scheme would I use for the various passwords?  What scheme would be
> used for the above example for starters?  What if the id is 5 or 1 (the ones
> documented for the crypt() call)?
> 

{CRYPT}, for SHA-256 and SHA-512. If your {,g}libc supports it, Dovecot
can use it.


Regards,
Pascal
-- 
The trapper recommends today: fabaceae.1012721 at localdomain.org


More information about the dovecot mailing list