Strange behaviour with BLF-CRYPT and SHA*-CRYPT pasword schemas
Greetings,
this is less of a bug report or a help request, but we would like to know if someone can explain the following:
Environment: Centos 7 with Dovecot 2.3.4-2
default_pass_scheme = BLF-CRYPT password hash in database : BLF-CRYPT login = works
default_pass_scheme = SHA512 or SHA256-CRYPT password hash in database : BLF-CRYPT login = also works
default_pass_scheme = BLF-CRYPT password hash in database : SHA512-CRYPT login = does not work
Can someone explain these discrepancies?
-- Kind regards, Kristijan Savic
ratiokontakt GmbH Biegenhofstr. 13 96103 Hallstadt Telefon: +49 (0) 951 9 35 35 - 0 Telefax: +49 (0) 951 9 35 35 - 902 Internet: www.ratiokontakt.de Geschäftsführer: Dr. Nils Kaufmann, Stefan Kraft Amtsgericht Bamberg - HRB 3757
ratiokontakt ist zertifiziert nach DIN ISO/IEC 27001
You could configure default scheme as CRYPT. It covers these all. Otherwise you need to make sure passwords have {SCHEME} prefix when it differs from default or oddities occur. ---
Thank you for the tip with CRYPT.
Is there any explanation for this behaviour though?
Why are BCRYPT hashes accepted when default_pass_scheme is set to SHA512-CRYPT and not vice versa? Is this normal?
-- Regards,
Kristijan Savic
ratiokontakt GmbH Biegenhofstr. 13 96103 Hallstadt Telefon: +49 (0) 951 9 35 35 - 0 Telefax: +49 (0) 951 9 35 35 - 902 Internet: www.ratiokontakt.de Geschäftsführer: Dr. Nils Kaufmann, Stefan Kraft Amtsgericht Bamberg - HRB 3757
ratiokontakt ist zertifiziert nach DIN ISO/IEC 27001
On 7.3.2019 14.00, Kristijan Savic - ratiokontakt GmbH wrote:
You could configure default scheme as CRYPT. It covers these all. Otherwise you need to make sure passwords have {SCHEME} prefix when it differs from default or oddities occur. --- Thank you for the tip with CRYPT.
Is there any explanation for this behaviour though?
Why are BCRYPT hashes accepted when default_pass_scheme is set to SHA512-CRYPT and not vice versa? Is this normal?
Because SHA512-CRYPT is directly sent to crypt(3) but BLF-CRYPT and CRYPT are ran thru something that checks if it starts with $2$ or not, as linux does not actually support bcrypt in crypt(3).
Aki
That explains everything then, excellent.
Thank you very much!
-- Regards,
Kristijan Savic
ratiokontakt GmbH Biegenhofstr. 13 96103 Hallstadt Telefon: +49 (0) 951 9 35 35 - 0 Telefax: +49 (0) 951 9 35 35 - 902 Internet: www.ratiokontakt.de Geschäftsführer: Dr. Nils Kaufmann, Stefan Kraft Amtsgericht Bamberg - HRB 3757
ratiokontakt ist zertifiziert nach DIN ISO/IEC 27001
participants (2)
-
Aki Tuomi
-
Kristijan Savic - ratiokontakt GmbH