20 Mar
2007
20 Mar
'07
4:36 p.m.
Chris Laif wrote:
On 3/19/07, Frank Church <voipfc@googlemail.com> wrote:
I am looking for PHP functions that implement passwords that much the dovecotpw implementation.
I downloaded one from PEAR, Crypt_HMAC, but the passwords it generates look nothing like the dovecotpw passwords, which could be my fault because I know nothing about the field.
All libraries/utilities I know generate an HMAC-MD5 string (32bytes). Dovecot uses HMAC-MD5-CONTEXTs (64bytes) for CRAM-MD5 authentication.
See also: http://www.dovecot.org/list/dovecot/2006-December/018083.html
Chris
Here's a chunck of code that might be useful.
<?php
if ($_POST["checkpass"]) {
$login = $_POST["username"];
$passwd = $_POST["password"];
$newpass = $_POST["newpassword"];
$newpass2 = $_POST["newpassword2"];
list ($user, $domain) = explode('@', $login);
$pass_file = "/etc/vmail/shadow.".$domain;
// Sanity Checks
if ($login == "")
{
$badInput = 1;
}
if (!$badInput and ($user == "" or $domain == ""))
{
echo "<b><font color='red'>Error: Bad Email Address</b></font><br>";
$badInput = 1;
}
if (!$badInput and ($passwd == "" or $newpass == ""))
{
echo "<b><font color='red'>Error: Password Missing</b></font><br>";
$badInput = 1;
}
if (!$badInput and strlen($newpass) < 6)
{
echo "<b><font color='red'>Error: Password must be at least 6 characters</b></font><br>";
$badInput = 1;
}
if ($newpass != $newpass2)
{
echo "<b><font color='red'>Error: New Passwords Don't Match</b></font><br>";
$badInput = 1;
}
if (!$badInput) {
$fp = fopen( $pass_file, "r" );
if ($fp == false)
{
echo "<b><font color='red'>Error: Domain ".$domain." Doesn't Exist</b></font><br>";
} else {
while ( !feof( $fp ) )
{
$line = trim( fgets( $fp, 1000 ) );
list( $f_user, $f_password, $f_last_password_changed, $two, $three, $four, $five, $six ) = explode( ':', $line );
if ($f_user == $user)
{
$userFound = 1;
if ( substr($f_password, 0, 1) == "$" )
{
$seed = substr($f_password, 0, 12);
$epassword = substr($f_password, 12, strlen($f_password));
$epassword = $seed.$epassword;
$npassword = crypt($passwd, $seed);
} else {
$seed = substr($f_password, 0, 2);
$epassword = substr($f_password, 2, strlen($f_password));
$epassword = $seed.$epassword;
$npassword = crypt($passwd, $seed);
}
if ($npassword == $epassword) {
$success = 1;
for ($n = 0; $n < 9; $n++)
{
$s .= chr(rand(64,126));
}
$seed = "$1$".$s."$";
$line = $f_user.":".crypt($_POST["newpassword"], $seed).":".floor(time()/86400).":".$two.":".$three.":".$four.":".$five.":".$six.":";
} else {
echo "<b><font color='red'>Error: Wrong Password</b></font><br>";
}
}
if ($line > "")
{
$write .= $line."\n";
}
}
}
fclose($fp);
if ($success)
{
$fp = fopen( $pass_file, "w" );
fwrite($fp, $write);
fclose($fp);
echo "<b><font color='Blue'>Password Change Succeeded</font></b><br>";
}
if (!$userFound)
{
echo "<b><font color='red'>Error: Invalid Email Address</font></b><br>";
}
}
}