On Fri, May 7, 2010 at 15:11, Pascal Volk < user+dovecot@localhost.localdomain.orguser%2Bdovecot@localhost.localdomain.org
wrote:
On 05/07/2010 08:16 PM Phil Howard wrote:
I've decided that having users supply cleartext passwords for me to encrypt and encode is a bad idea, anyway. So maybe I won't need dovecotpw. The idea is that users supply an already-encrypted password. Most of the users can fetch their login password from /etc/shadow on their own computer.
Wiki page http://wiki.dovecot.org/Authentication/PasswordSchemesindicates that scheme name CRYPT is the one that uses the libc crypt() function. But it also says it uses no more than 8 characters. Then there is MD5-CRYPT. But that doesn't call crypt(), I presume. No limit on password size is indicated. But this at least looks like SOME of the encrypted passwords I have.
Other passwords I have have ids indicating SHA-256 and SHA-512. Here is an example from /etc/shadow that encrypted the clear password "dovecotandpostfix" (in case it is necessary to test it):
$6$IwZzpjjj$p1VrkxQmgmTED8iQnQrV3sVEZpBmw2N8oD1ykOguXB5tf8aahICesX0TF6.VMThIW2QFs1buHjT3eDtnaAFhF1
The big question is, what scheme name should I use for these passwords?
I
can, of course, consider the id (6 in the above example, suggesting SHA-512) if there is one (so far all are like this). But the other consideration is most of the passwords are longer than 8, some longer than 12, characters. So apparently CRYPT can't be used in those cases (so I can't have the automatic identification of crypt() to detect the scheme).
What scheme would I use for the various passwords? What scheme would be used for the above example for starters? What if the id is 5 or 1 (the ones documented for the crypt() call)?
{CRYPT}, for SHA-256 and SHA-512. If your {,g}libc supports it, Dovecot can use it.
Is there another scheme name for it I can use that will still do those without the 8 character limit? I want the users to use their full passwords even with this scheme (or at least one like it). I know crypt() doesn't have an 8 character limit, so a scheme that doesn't have such a limit, and uses crypt(), I would think should work.