[Dovecot] CRYPT scheme and 8 character limit
I've decided that having users supply cleartext passwords for me to encrypt and encode is a bad idea, anyway. So maybe I won't need dovecotpw. The idea is that users supply an already-encrypted password. Most of the users can fetch their login password from /etc/shadow on their own computer.
Wiki page http://wiki.dovecot.org/Authentication/PasswordSchemes indicates that scheme name CRYPT is the one that uses the libc crypt() function. But it also says it uses no more than 8 characters. Then there is MD5-CRYPT. But that doesn't call crypt(), I presume. No limit on password size is indicated. But this at least looks like SOME of the encrypted passwords I have.
Other passwords I have have ids indicating SHA-256 and SHA-512. Here is an example from /etc/shadow that encrypted the clear password "dovecotandpostfix" (in case it is necessary to test it):
$6$IwZzpjjj$p1VrkxQmgmTED8iQnQrV3sVEZpBmw2N8oD1ykOguXB5tf8aahICesX0TF6.VMThIW2QFs1buHjT3eDtnaAFhF1
The big question is, what scheme name should I use for these passwords? I can, of course, consider the id (6 in the above example, suggesting SHA-512) if there is one (so far all are like this). But the other consideration is most of the passwords are longer than 8, some longer than 12, characters. So apparently CRYPT can't be used in those cases (so I can't have the automatic identification of crypt() to detect the scheme).
What scheme would I use for the various passwords? What scheme would be used for the above example for starters? What if the id is 5 or 1 (the ones documented for the crypt() call)?
On 05/07/2010 08:16 PM Phil Howard wrote:
I've decided that having users supply cleartext passwords for me to encrypt and encode is a bad idea, anyway. So maybe I won't need dovecotpw. The idea is that users supply an already-encrypted password. Most of the users can fetch their login password from /etc/shadow on their own computer.
Wiki page http://wiki.dovecot.org/Authentication/PasswordSchemes indicates that scheme name CRYPT is the one that uses the libc crypt() function. But it also says it uses no more than 8 characters. Then there is MD5-CRYPT. But that doesn't call crypt(), I presume. No limit on password size is indicated. But this at least looks like SOME of the encrypted passwords I have.
Other passwords I have have ids indicating SHA-256 and SHA-512. Here is an example from /etc/shadow that encrypted the clear password "dovecotandpostfix" (in case it is necessary to test it):
$6$IwZzpjjj$p1VrkxQmgmTED8iQnQrV3sVEZpBmw2N8oD1ykOguXB5tf8aahICesX0TF6.VMThIW2QFs1buHjT3eDtnaAFhF1
The big question is, what scheme name should I use for these passwords? I can, of course, consider the id (6 in the above example, suggesting SHA-512) if there is one (so far all are like this). But the other consideration is most of the passwords are longer than 8, some longer than 12, characters. So apparently CRYPT can't be used in those cases (so I can't have the automatic identification of crypt() to detect the scheme).
What scheme would I use for the various passwords? What scheme would be used for the above example for starters? What if the id is 5 or 1 (the ones documented for the crypt() call)?
{CRYPT}, for SHA-256 and SHA-512. If your {,g}libc supports it, Dovecot can use it.
Regards, Pascal
The trapper recommends today: fabaceae.1012721@localdomain.org
On Fri, May 7, 2010 at 15:11, Pascal Volk < user+dovecot@localhost.localdomain.orguser%2Bdovecot@localhost.localdomain.org
wrote:
On 05/07/2010 08:16 PM Phil Howard wrote:
I've decided that having users supply cleartext passwords for me to encrypt and encode is a bad idea, anyway. So maybe I won't need dovecotpw. The idea is that users supply an already-encrypted password. Most of the users can fetch their login password from /etc/shadow on their own computer.
Wiki page http://wiki.dovecot.org/Authentication/PasswordSchemesindicates that scheme name CRYPT is the one that uses the libc crypt() function. But it also says it uses no more than 8 characters. Then there is MD5-CRYPT. But that doesn't call crypt(), I presume. No limit on password size is indicated. But this at least looks like SOME of the encrypted passwords I have.
Other passwords I have have ids indicating SHA-256 and SHA-512. Here is an example from /etc/shadow that encrypted the clear password "dovecotandpostfix" (in case it is necessary to test it):
$6$IwZzpjjj$p1VrkxQmgmTED8iQnQrV3sVEZpBmw2N8oD1ykOguXB5tf8aahICesX0TF6.VMThIW2QFs1buHjT3eDtnaAFhF1
The big question is, what scheme name should I use for these passwords?
I
can, of course, consider the id (6 in the above example, suggesting SHA-512) if there is one (so far all are like this). But the other consideration is most of the passwords are longer than 8, some longer than 12, characters. So apparently CRYPT can't be used in those cases (so I can't have the automatic identification of crypt() to detect the scheme).
What scheme would I use for the various passwords? What scheme would be used for the above example for starters? What if the id is 5 or 1 (the ones documented for the crypt() call)?
{CRYPT}, for SHA-256 and SHA-512. If your {,g}libc supports it, Dovecot can use it.
Is there another scheme name for it I can use that will still do those without the 8 character limit? I want the users to use their full passwords even with this scheme (or at least one like it). I know crypt() doesn't have an 8 character limit, so a scheme that doesn't have such a limit, and uses crypt(), I would think should work.
On Fri, May 7, 2010 at 15:11, Pascal Volk < user+dovecot@localhost.localdomain.orguser%2Bdovecot@localhost.localdomain.org
wrote:
On 05/07/2010 08:16 PM Phil Howard wrote:
I've decided that having users supply cleartext passwords for me to encrypt and encode is a bad idea, anyway. So maybe I won't need dovecotpw. The idea is that users supply an already-encrypted password. Most of the users can fetch their login password from /etc/shadow on their own computer.
Wiki page http://wiki.dovecot.org/Authentication/PasswordSchemesindicates that scheme name CRYPT is the one that uses the libc crypt() function. But it also says it uses no more than 8 characters. Then there is MD5-CRYPT. But that doesn't call crypt(), I presume. No limit on password size is indicated. But this at least looks like SOME of the encrypted passwords I have.
Other passwords I have have ids indicating SHA-256 and SHA-512. Here is an example from /etc/shadow that encrypted the clear password "dovecotandpostfix" (in case it is necessary to test it):
$6$IwZzpjjj$p1VrkxQmgmTED8iQnQrV3sVEZpBmw2N8oD1ykOguXB5tf8aahICesX0TF6.VMThIW2QFs1buHjT3eDtnaAFhF1
The big question is, what scheme name should I use for these passwords?
I
can, of course, consider the id (6 in the above example, suggesting SHA-512) if there is one (so far all are like this). But the other consideration is most of the passwords are longer than 8, some longer than 12, characters. So apparently CRYPT can't be used in those cases (so I can't have the automatic identification of crypt() to detect the scheme).
What scheme would I use for the various passwords? What scheme would be used for the above example for starters? What if the id is 5 or 1 (the ones documented for the crypt() call)?
{CRYPT}, for SHA-256 and SHA-512. If your {,g}libc supports it, Dovecot can use it.
OK, I looked in the source code and I cannot find any 8 character limit. So I'm now guessing that the documentation was really referring to the legacy algorithm in crypt(), instead of the CRYPT scheme interface to it in Dovecot.
I think your just alittle confused.
There are two crypts basically, the crypt function, and the crypt hash.
The crypt hash has the 8 letter limit for the most part and is not
really used anymore.
when you specify {CRYPT}, dovecot just uses the crypt function, from
libc or libcrypt, and then the crypt function will figure out of it
uses the old crypt hash, md5 hash, sha hash or other that it supports.
Quoting Phil Howard ttiphil@gmail.com:
On Fri, May 7, 2010 at 15:11, Pascal Volk < user+dovecot@localhost.localdomain.orguser%2Bdovecot@localhost.localdomain.org
wrote:
On 05/07/2010 08:16 PM Phil Howard wrote:
I've decided that having users supply cleartext passwords for me to encrypt and encode is a bad idea, anyway. So maybe I won't need dovecotpw. The idea is that users supply an already-encrypted password. Most of the users can fetch their login password from /etc/shadow on their own computer.
Wiki page http://wiki.dovecot.org/Authentication/PasswordSchemesindicates that scheme name CRYPT is the one that uses the libc crypt() function. But it also says it uses no more than 8 characters. Then there is MD5-CRYPT. But that doesn't call crypt(), I presume. No limit on password size is indicated. But this at least looks like SOME of the encrypted passwords I have.
Other passwords I have have ids indicating SHA-256 and SHA-512. Here is an example from /etc/shadow that encrypted the clear password "dovecotandpostfix" (in case it is necessary to test it):
$6$IwZzpjjj$p1VrkxQmgmTED8iQnQrV3sVEZpBmw2N8oD1ykOguXB5tf8aahICesX0TF6.VMThIW2QFs1buHjT3eDtnaAFhF1
The big question is, what scheme name should I use for these passwords?
I
can, of course, consider the id (6 in the above example, suggesting SHA-512) if there is one (so far all are like this). But the other consideration is most of the passwords are longer than 8, some longer than 12, characters. So apparently CRYPT can't be used in those cases (so I can't have the automatic identification of crypt() to detect the scheme).
What scheme would I use for the various passwords? What scheme would be used for the above example for starters? What if the id is 5 or 1 (the ones documented for the crypt() call)?
{CRYPT}, for SHA-256 and SHA-512. If your {,g}libc supports it, Dovecot can use it.
OK, I looked in the source code and I cannot find any 8 character limit. So I'm now guessing that the documentation was really referring to the legacy algorithm in crypt(), instead of the CRYPT scheme interface to it in Dovecot.
participants (3)
-
Pascal Volk
-
Patrick Domack
-
Phil Howard