Chris Laif wrote:
On 3/19/07, Frank Church voipfc@googlemail.com wrote:
I am looking for PHP functions that implement passwords that much the dovecotpw implementation.
I downloaded one from PEAR, Crypt_HMAC, but the passwords it generates look nothing like the dovecotpw passwords, which could be my fault because I know nothing about the field.
All libraries/utilities I know generate an HMAC-MD5 string (32bytes). Dovecot uses HMAC-MD5-CONTEXTs (64bytes) for CRAM-MD5 authentication.
See also: http://www.dovecot.org/list/dovecot/2006-December/018083.html
Chris
Here's a chunck of code that might be useful.
<?php if ($_POST["checkpass"]) { $login = $_POST["username"]; $passwd = $_POST["password"]; $newpass = $_POST["newpassword"]; $newpass2 = $_POST["newpassword2"]; list ($user, $domain) = explode('@', $login); $pass_file = "/etc/vmail/shadow.".$domain; // Sanity Checks if ($login == "") { $badInput = 1; } if (!$badInput and ($user == "" or $domain == "")) { echo "<b><font color='red'>Error: Bad Email Address</b></font><br>"; $badInput = 1; } if (!$badInput and ($passwd == "" or $newpass == "")) { echo "<b><font color='red'>Error: Password Missing</b></font><br>"; $badInput = 1; } if (!$badInput and strlen($newpass) < 6) { echo "<b><font color='red'>Error: Password must be at least 6 characters</b></font><br>"; $badInput = 1; } if ($newpass != $newpass2) { echo "<b><font color='red'>Error: New Passwords Don't Match</b></font><br>"; $badInput = 1; } if (!$badInput) { $fp = fopen( $pass_file, "r" ); if ($fp == false) { echo "<b><font color='red'>Error: Domain ".$domain." Doesn't Exist</b></font><br>"; } else { while ( !feof( $fp ) ) { $line = trim( fgets( $fp, 1000 ) ); list( $f_user, $f_password, $f_last_password_changed, $two, $three, $four, $five, $six ) = explode( ':', $line ); if ($f_user == $user) { $userFound = 1; if ( substr($f_password, 0, 1) == "$" ) { $seed = substr($f_password, 0, 12); $epassword = substr($f_password, 12, strlen($f_password)); $epassword = $seed.$epassword; $npassword = crypt($passwd, $seed); } else { $seed = substr($f_password, 0, 2); $epassword = substr($f_password, 2, strlen($f_password)); $epassword = $seed.$epassword; $npassword = crypt($passwd, $seed); } if ($npassword == $epassword) { $success = 1; for ($n = 0; $n < 9; $n++) { $s .= chr(rand(64,126)); } $seed = "$1$".$s."$"; $line = $f_user.":".crypt($_POST["newpassword"], $seed).":".floor(time()/86400).":".$two.":".$three.":".$four.":".$five.":".$six.":"; } else { echo "<b><font color='red'>Error: Wrong Password</b></font><br>"; } } if ($line > "") { $write .= $line."\n"; } } } fclose($fp); if ($success) { $fp = fopen( $pass_file, "w" ); fwrite($fp, $write); fclose($fp); echo "<b><font color='Blue'>Password Change Succeeded</font></b><br>"; } if (!$userFound) { echo "<b><font color='red'>Error: Invalid Email Address</font></b><br>"; } } }