[Dovecot] CRYPT scheme and 8 character limit

Patrick Domack patrickdk at patrickdk.com
Sun May 9 06:31:41 EEST 2010 

I think your just alittle confused.

There are two crypts basically, the crypt function, and the crypt hash.
The crypt hash has the 8 letter limit for the most part and is not  
really used anymore.

when you specify {CRYPT}, dovecot just uses the crypt function, from  
libc or libcrypt, and then the crypt function will figure out of it  
uses the old crypt hash, md5 hash, sha hash or other that it supports.

Quoting Phil Howard <ttiphil at gmail.com>:

> On Fri, May 7, 2010 at 15:11, Pascal Volk <
> user+dovecot at localhost.localdomain.org<user%2Bdovecot at localhost.localdomain.org>
>> wrote:
>
>> On 05/07/2010 08:16 PM Phil Howard wrote:
>> > I've decided that having users supply cleartext passwords for me to
>> encrypt
>> > and encode is a bad idea, anyway.  So maybe I won't need dovecotpw.  The
>> > idea is that users supply an already-encrypted password.  Most of the
>> users
>> > can fetch their login password from /etc/shadow on their own computer.
>> >
>> > Wiki page http://wiki.dovecot.org/Authentication/PasswordSchemesindicates
>> > that scheme name CRYPT is the one that uses the libc crypt() function.
>>  But
>> > it also says it uses no more than 8 characters.  Then there is MD5-CRYPT.
>> > But that doesn't call crypt(), I presume.  No limit on password size is
>> > indicated.  But this at least looks like SOME of the encrypted passwords
>> I
>> > have.
>> >
>> > Other passwords I have have ids indicating SHA-256 and SHA-512.  Here is
>> an
>> > example from /etc/shadow that encrypted the clear password
>> > "dovecotandpostfix" (in case it is necessary to test it):
>> >
>> >
>> $6$IwZzpjjj$p1VrkxQmgmTED8iQnQrV3sVEZpBmw2N8oD1ykOguXB5tf8aahICesX0TF6.VMThIW2QFs1buHjT3eDtnaAFhF1
>> >
>> > The big question is, what scheme name should I use for these passwords?
>>  I
>> > can, of course, consider the id (6 in the above example, suggesting
>> SHA-512)
>> > if there is one (so far all are like this).  But the other consideration
>> is
>> > most of the passwords are longer than 8, some longer than 12, characters.
>> > So apparently CRYPT can't be used in those cases (so I can't have the
>> > automatic identification of crypt() to detect the scheme).
>> >
>> > What scheme would I use for the various passwords?  What scheme would be
>> > used for the above example for starters?  What if the id is 5 or 1 (the
>> ones
>> > documented for the crypt() call)?
>> >
>>
>> {CRYPT}, for SHA-256 and SHA-512. If your {,g}libc supports it, Dovecot
>> can use it.
>>
>
> OK, I looked in the source code and I cannot find any 8 character limit.  So
> I'm now guessing that the documentation was really referring to the legacy
> algorithm in crypt(), instead of the CRYPT scheme interface to it in
> Dovecot.
>

More information about the dovecot mailing list