[Dovecot] How to manually generate a password hash
Hi folks. I've recently set up a Postfix 2.9.6/Dovecot 2.0.19 IMAPS/SMTPS setup on Ubuntu 12.04.2 (Mysql backend). I'm new to all this, so I apologize if this is fairly basic. I've attempted to the best of my ability to search for an answer, but no luck so far.
What I'm trying to do is generate a password hash that I can inject directly into my Mysql database (disaster recovery sort of situation). Towards that goal, I'm trying to use 'doveadm pw' to generate a hash that matches a known password in my database. Unfortunately, I'm coming up empty.
My default_pass_scheme in dovecot-sql.conf is set to MD5-CRYPT, and the passwords in the database have no scheme prefixes. I'm attempting to generate a hash with:
sudo doveadm pw -s 'MD5-CRYPT'
but the hash generated does not match the user's password hash in the database, which is known to be a good password. I'm able to log into this account successfully in both Roundcube and a remote IMAP client. I've also tried using the -p flag and including the password in the command, and that doesn't do it either, though it oddly gives a different response than using the prompt. (What causes this? Newlines?)
So... what am I missing? If the hash was salted, it would seem the hashes in the database would be longer than the ones generated at the command line, but that isn't the case. I'm out of ideas. Any guidance appreciated.
-Dave
On 4/13/2013 7:10 PM, David Murphy wrote:
Hi folks. I've recently set up a Postfix 2.9.6/Dovecot 2.0.19 IMAPS/SMTPS setup on Ubuntu 12.04.2 (Mysql backend). I'm new to all this, so I apologize if this is fairly basic. I've attempted to the best of my ability to search for an answer, but no luck so far.
What I'm trying to do is generate a password hash that I can inject directly into my Mysql database (disaster recovery sort of situation). Towards that goal, I'm trying to use 'doveadm pw' to generate a hash that matches a known password in my database. Unfortunately, I'm coming up empty.
My default_pass_scheme in dovecot-sql.conf is set to MD5-CRYPT, and the passwords in the database have no scheme prefixes. I'm attempting to generate a hash with:
sudo doveadm pw -s 'MD5-CRYPT'
but the hash generated does not match the user's password hash in the database, which is known to be a good password. I'm able to log into this account successfully in both Roundcube and a remote IMAP client. I've also tried using the -p flag and including the password in the command, and that doesn't do it either, though it oddly gives a different response than using the prompt. (What causes this? Newlines?)
So... what am I missing? If the hash was salted, it would seem the hashes in the database would be longer than the ones generated at the command line, but that isn't the case. I'm out of ideas. Any guidance appreciated.
-Dave
Can you post one of your hashes?
Dem
Am 14.04.2013 04:10, schrieb David Murphy:
Hi folks. I've recently set up a Postfix 2.9.6/Dovecot 2.0.19 IMAPS/SMTPS setup on Ubuntu 12.04.2 (Mysql backend). I'm new to all this, so I apologize if this is fairly basic. I've attempted to the best of my ability to search for an answer, but no luck so far.
What I'm trying to do is generate a password hash that I can inject directly into my Mysql database (disaster recovery sort of situation). Towards that goal, I'm trying to use 'doveadm pw' to generate a hash that matches a known password in my database. Unfortunately, I'm coming up empty.
My default_pass_scheme in dovecot-sql.conf is set to MD5-CRYPT, and the passwords in the database have no scheme prefixes. I'm attempting to generate a hash with:
sudo doveadm pw -s 'MD5-CRYPT'
but the hash generated does not match the user's password hash in the database, which is known to be a good password.
*-CRYPT hashes are salted. Hence it is intended, that hashes differ.
$ doveadm pw -s 'MD5-CRYPT' -p test {MD5-CRYPT}$1$s3UfgF6q$YRupP9GlEcaU5CYUOfkFl0 $ doveadm pw -s 'MD5-CRYPT' -p test {MD5-CRYPT}$1$yVZQVf8U$aaguS/rkQOJXu29V76nUl/
I've also tried using the -p flag and including the password in the command, and that doesn't do it either, though it oddly gives a different response than using the prompt. (What causes this? Newlines?)
I don't understand what you are trying to say here...
- René
On 4/13/2013 7:10 PM, David Murphy wrote:
Hi folks. I've recently set up a Postfix 2.9.6/Dovecot 2.0.19 IMAPS/SMTPS setup on Ubuntu 12.04.2 (Mysql backend). I'm new to all this, so I apologize if this is fairly basic. I've attempted to the best of my ability to search for an answer, but no luck so far.
What I'm trying to do is generate a password hash that I can inject directly into my Mysql database (disaster recovery sort of situation). Towards that goal, I'm trying to use 'doveadm pw' to generate a hash that matches a known password in my database. Unfortunately, I'm coming up empty.
My default_pass_scheme in dovecot-sql.conf is set to MD5-CRYPT, and the passwords in the database have no scheme prefixes. I'm attempting to generate a hash with:
sudo doveadm pw -s 'MD5-CRYPT'
but the hash generated does not match the user's password hash in the database, which is known to be a good password. I'm able to log into this account successfully in both Roundcube and a remote IMAP client. I've also tried using the -p flag and including the password in the command, and that doesn't do it either, though it oddly gives a different response than using the prompt. (What causes this? Newlines?)
So... what am I missing? If the hash was salted, it would seem the hashes in the database would be longer than the ones generated at the command line, but that isn't the case. I'm out of ideas. Any guidance appreciated.
-Dave
If your passwords are of the format $1$..., then they are in standard crypt md5 format. They are salted. The salt is between the second and third $ and the actual hash follows the third $.
The version of Dovecot you are running has several bugs in "doveadm pw" that you might be encountering. This will prevent you from verifying the hashes. Some of these have been fixed in the current release.
Try the following command. This should give you a "verified" response on a patched version of doveadm. (NOTE this command is all on one line, but may wrap in the email).
doveadm pw -s MD5-CRYPT -p abc123 -t '$1$85P5.CAv$tqx.O2iZwnIZjuMQ7fo6m1'
It should reply:
$1$85P5.CAv$tqx.O2iZwnIZjuMQ7fo6m1 (verified)
Or possibly (depending on the version of dovecot you run):
{MD5-CRYPT}$1$85P5.CAv$tqx.O2iZwnIZjuMQ7fo6m1 (verified)
If you do not get one of the above responses to the test, you should upgrade, since your doveadm is broken.
To test your hashes, use the above command format substituting your password after -p and your hash after -t. This is only if your hashes begin with $1$..., however. If they do not, then they are not in crypt md5 format and you will need to figure out what format they are.
Once again, however, you need to be running at least 2.1.17, I believe, or maybe a recent release of 2.2 that has the doveadm patches.
Dem
Date: Sun, 14 Apr 2013 03:24:38 -0700 From: professa@dementianati.com CC: dovecot@dovecot.org Subject: Re: [Dovecot] How to manually generate a password hash
- If your passwords are of the format $1$..., then they are in standard crypt md5 format. They are salted. The salt is between the second and third $ and the actual hash follows the third $.
Aha! That's the piece I was missing. I never noticed the third '$' and for some reason I never tried running doveadm pw the exact same way twice in a row to notice that the results were different. Verified that I could generate a hash from doveadm pw, insert it in the database, and log in on that account.
Thank you, and thanks to the others who responded as well.
-Dave
participants (3)
-
David Murphy
-
Professa Dementia
-
René Neumann