Re: dovecot Digest, Vol 225, Issue 71
hi Christian
Did the password hash algorithm change between devuan 3 and 4? You can check that in your /etc/shadow file.
As I understand, devuan is pretty much debian without systemd? And that if you were prepared to do a fair bit of work you could start with debian installed, hack it about and end up with something like devuan?
I doubt devuan has done anything to deviate from debian at this level and both machines were recently dist-upgraded. Dovecot needed no tinkering with at all on the debian machine.
The start of the password field should be the same something like $6$...
Yes it is on devuan 4. I no longer have anything with devuan 3 to check that, but it shouldn't have changed in a dist-upgrade? Interestingly, although it's the same user and password on both machines, I notice that the hashes in /etc/shadow are not identical after the commencing $6$. But then I don't know how these hashes are derived, so maybe that is not unexpected?
-- David Matthews mail@dmatthews.org
Hello
Am 27.01.22 um 17:37 schrieb David Matthews:
hi Christian
Did the password hash algorithm change between devuan 3 and 4? You can check that in your /etc/shadow file.
As I understand, devuan is pretty much debian without systemd? And that if you were prepared to do a fair bit of work you could start with debian installed, hack it about and end up with something like devuan?
I doubt devuan has done anything to deviate from debian at this level and both machines were recently dist-upgraded. Dovecot needed no tinkering with at all on the debian machine.
I never used devuan, so I can not comment on its upgrade strategies.
The default in Debian has changed, but on an dist-upgrade they are not changed automatically. This would not be possible anyway, as you need the original password for generating the new hash. But you could enforce the user to change it on the next login.
The hash algorithm changes, when you set a new or other password. Check also release notes of Bulseye: https://www.debian.org/releases/stable/amd64/release-notes/ch-information.de...
The start of the password field should be the same something like $6$...
Yes it is on devuan 4. I no longer have anything with devuan 3 to check that, but it shouldn't have changed in a dist-upgrade? Interestingly, although it's the same user and password on both machines, I notice that the hashes in /etc/shadow are not identical after the commencing $6$. But then I don't know how these hashes are derived, so maybe that is not unexpected?
So the password algorithm didn't change.
$6$ is still the old one SHA-512. The hashes are different between machines, as they are salted. The salt is stored after $6$ up till the next $ sign. As the salt differs, the hash has to be different. Thats what salts are made for :-)
So you only can increase the logging in dovecot for authentication to debugging. auth_debug=yes
Perhaps you also want to set auth_debug_passwords=yes for getting the actual password in plain text. (Don't forget to disable that afterwards!)
Kind regards, Christian Mack
-- Christian Mack Universität Konstanz Kommunikations-, Informations-, Medienzentrum (KIM) Abteilung IT-Dienste Forschung und Lehre 78457 Konstanz +49 7531 88-4416
participants (2)
-
Christian Mack
-
David Matthews