Hi again,
this is what I've found regarding how Drupal 7 hashes.
$hash = md5($salt . $password, TRUE); do { $hash = md5($hash . $password, TRUE); } while (--$count);
The whole final hash value is encoded into 16 base64 characters and prepended by an identifying string, the standard phpass MD5 mode uses $P$ (Drupal’s modified version uses $S$ to indicate SHA-512) and a single base64 character to indicate the number of MD5 iterations used. Examples of a hashed password are:
# Drupal 7 hash $S$CgwilRJS4VIF1.2y0R7B4qkXJ8F8SJPcuvXRKGlMWESVXMST.5n4
WordPress 3.0.4 uses the phpass default of 8193 iterations ($count being 8192) and Drupal 7 uses 16385 — notice that the Drupal password has C after the identifier whereas WordPress has B, converted from crypt style base64 (character set [./0-9A-Za-z]) these are 14 and 13 respectively, then take 214 + 1 = 16385. A John the Ripper benchmark, after patching and enabling the usage of phpass portable passwords (WordPress style, 8193 iterations), quotes approximately 700 passwords checked per second.
Can I use this inforamtion to make Dovecot understand how to interpret the hash?
Thanks!
Regards Tobias
On 3/11/13 11:57 AM, info@stos.se wrote:
Hi
I'm trying to get Dovecot to use Drupal users password for authenticating IMAP users. But I just cant figure out how to make Dovecot understand
On Mon, 11 Mar 2013 14:00:22 -0500, "list@airstreamcomm.net" list@airstreamcomm.net wrote: the
password hash type that Drupal 7 is using.
My example user with password Teacher1 looks like this in Drupal database: $S$DZwJa.U8HXT2PvTmwCK13rGEYEvnx5DB6/hlqnfCBum4s4U7MVWU
Dovecot retrieves this hash but complains that its not a recognized hash type, or that the hash is wrong, depending on if I change the default hash type in Dovecot config.
Any help appreciated.
root@SSiS:/etc/postfix# dovecot --version 1.2.15 root@SSiS:/etc/postfix# dovecot -n # 1.2.15: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-12-pve i686 Debian 6.0.7 simfs log_timestamp: %Y-%m-%d %H:%M:%S login_dir: /var/run/dovecot/login login_executable: /usr/lib/dovecot/imap-login mail_privileged_group: mail mail_location: maildir:/home/vmail/ mbox_write_locks: fcntl dotlock auth default: verbose: yes debug: yes debug_passwords: yes passdb: driver: pam passdb: driver: sql args: /etc/dovecot/dovecot-sql.conf userdb: driver: passwd root@SSiS:/etc/postfix# root@SSiS:/etc/postfix# grep -v '^ *\(#.*\)\?$' /etc/dovecot/dovecot-sql.conf driver = mysql connect = host=127.0.0.1 dbname=Drupal user=Dru_Adm password=localu default_pass_scheme = CRYPT password_query = SELECT name AS user, pass AS password FROM users WHERE name='%n' user_query = SELECT CONCAT(SUBSTRING_INDEX(mail,'@',-1),'/',SUBSTRING_INDEX(mail,'@',1),'/') AS mail FROM users WHERE name='%n' root@SSiS:/etc/postfix# tail /var/log/mail.log Mar 11 16:17:42 SSiS dovecot: auth(default): new auth connection: pid=8593 Mar 11 16:17:51 SSiS dovecot: auth(default): client in:
AUTH#0111#011PLAIN#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=52316#011resp=AFRlYWNoZXIxAFRlYWNoZXIx
Mar 11 16:17:51 SSiS dovecot: auth-worker(default): pam(Teacher1,127.0.0.1): lookup service=dovecot Mar 11 16:17:51 SSiS dovecot: auth-worker(default): pam(Teacher1,127.0.0.1): #1/1 style=1 msg=Password: Mar 11 16:17:54 SSiS dovecot: auth-worker(default): pam(Teacher1,127.0.0.1): pam_authenticate() failed: Authentication failure (password mismatch?) (given password: Teacher1) Mar 11 16:17:54 SSiS dovecot: auth-worker(default): sql(Teacher1,127.0.0.1): query: SELECT name AS user, pass AS password FROM users WHERE name='Teacher1' Mar 11 16:17:54 SSiS dovecot: auth-worker(default): sql(Teacher1,127.0.0.1): Password mismatch Mar 11 16:17:54 SSiS dovecot: auth-worker(default): md5_verify(Teacher1): Not a valid MD5-CRYPT or PLAIN-MD5 password Mar 11 16:17:54 SSiS dovecot: auth-worker(default): Invalid OTP data in passdb Mar 11 16:17:54 SSiS dovecot: auth-worker(default): Invalid OTP data in passdb Mar 11 16:17:54 SSiS dovecot: auth-worker(default): sql(Teacher1,127.0.0.1): CRYPT(Teacher1) != '$S$DZwJa.U8HXT2PvTmwCK13rGEYEvnx5DB6/hlqnfCBum4s4U7MVWU' Mar 11 16:17:56 SSiS dovecot: auth(default): client out: FAIL#0111#011user=Teacher1 Mar 11 16:18:01 SSiS dovecot: imap-login: Disconnected: Too many invalid commands (auth failed, 1 attempts): user=<Teacher1>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured Mar 11 16:32:36 SSiS dovecot: auth(default): new auth connection: pid=9075 Mar 11 16:32:41 SSiS dovecot: imap-login: Disconnected: Too many invalid commands (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, secured root@SSiS:/etc/postfix#
As far as I understand Drupal uses salted passwords, so you would need to return the password + salt in the sql query. I am not sure what position the salt is offset for a password with Drupal, but that should be simple to determine looking at the source.