[Dovecot] how authentication works?
Manao ahoana, Hello, Bonjour, I've read: http://wiki.dovecot.org/Authentication/PasswordSchemes
I have a users database with clear plain passwords. Dovecot authenticates users without problems against it.
Now, it's time to move to CRYPT scheme.
Before that, I would like to know how things happen.
He have:
- the user, (entering his password in the MUA)
- the user's MUA (Thunderbird, Outlook, Squirrelmail,...)
- the POP or IMAP server
- the users database (mySQL) with username and crypt()'d password
How I think the process is:
- the user enters his password in a clear way.
- the MUA sends the password as the user entered it to the POP or IMAP server
- the POP or IMAP server fetches the password from the database
- the POP or IMAP server crypt()'s the user entered password
- the POP or IMAP server compares crypt()'d ones and gives his response
Am I close enough to reality? Too far?
Misaotra, Thanks, Merci.
-- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche & Developpement +261 3456 000 19
Mihamina Rakotomandimby mihamina@gulfsat.mg : Now, it's time to move to CRYPT scheme.
Before that, I would like to know how things happen. [...] Am I close enough to reality? Too far?
I read further and saw: http://php.net/manual/en/function.crypt.php The standard DES-based crypt() returns the salt as the first two characters of the output. It also only uses the first eight characters of str, so longer strings that start with the same eight characters will generate the same result (when the same salt is used). [...]
<?php $password = crypt('mypassword'); if (crypt($user_input, $password) == $password) { echo "Password verified!"; } ?>
And also: http://docs.python.org/library/crypt.html crypt.crypt(word, salt) word will usually be a user’s password as typed at a prompt or in a graphical interface. salt is usually a random two-character string which will be used to perturb the DES algorithm in one of 4096 ways. The characters in salt must be in the set [./a-zA-Z0-9]. Returns the hashed password as a string, which will be composed of characters from the same alphabet as the salt (the first two characters represent the salt itself). Since a few crypt(3) extensions allow different values, with different sizes in the salt, it is recommended to use the full crypted password as salt when checking for a password. [...] def login(): username = raw_input('Python login:') cryptedpasswd = pwd.getpwnam(username)[1] if cryptedpasswd: if cryptedpasswd == 'x' or cryptedpasswd == '*': raise NotImplementedError( "Sorry, currently no support for shadow passwords") cleartext = getpass.getpass() return crypt.crypt(cleartext, cryptedpasswd) == cryptedpasswd else: return 1
I think it's OK for me, now.
-- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche & Developpement +261 3456 000 19
participants (1)
-
Mihamina Rakotomandimby