(I subscribed to a daily digest for this list and can’t figure out how to reply to a reply.)
Anyway, Aki Tuomi replied to my feature request saying:
The reason I suggest building in fallback hash type support is that my install of Dovecot on Ubuntu 14.04 didn’t support SHA512-CRYPT or BLF-CRYPT.
If Dovecot just included the PHP .c files to make sure it can process Blowfish/SHA512 password hashes on all installs, it would greatly simplify adding Dovecot as a service for my existing user accounts (without forcing them to give their password for the site so I can generate new hashes in a form that Dovecot supports). SHA256-CRYPT is probably my best option for password hashing since it supports ROUNDS to make hash generation slower. But, I would rather use BLF-CRYPT so I can re-use my existing hashes for my user accounts.
Kevin
Quoting KT Walrus <kevin@my.walr.us>:
I would love to know why your ubuntu 14.04 system doesn't support
sha512-crypt.
My dovecot installs have only ever used sha512-crypt since 2008. Been
using ubuntu since 7.04 with sha512-crypt, and my current systems
running 14.04 and 16.04 both use sha512-crypt.
The default password hash for system user accounts in ubuntu has been
sha512-crypt for a very long time now.
I would love to know why your ubuntu 14.04 system doesn't support sha512-crypt.
I just tried SHA512-CRYPT and it is supported on Ubuntu 14.04. I think I was thinking about DBMail instead of Dovecot.
I could really use support for BLF-CRYPT since my current password hashes generated by PHP are using Blowfish encryption.
Maybe, Dovecot could just add support for BLF-CRYPT by using the open source implementation of Blowfish hashing found in https://github.com/php/php-src/tree/master/ext/standard <https://github.com/php/php-src/tree/master/ext/standard>. The implementation looks like a single function to generate the hash. I’m not much of a programmer, but it would seem to me that these .c/.h files could be added to Dovecot for doing BLF-CRYPT hashing.
This would mean all installations of Dovecot going forward would support BLF-CRYPT regardless of whether the crypt libraries have Blowfish built in.
Kevin
Maybe, Dovecot could just add support for BLF-CRYPT by using the open source implementation of Blowfish hashing found in https://github.com/php/php-src/tree/master/ext/standard <https://github.com/php/php-src/tree/master/ext/standard>. The implementation looks like a single function to generate the hash. I’m not much of a programmer, but it would seem to me that these .c/.h files could be added to Dovecot for doing BLF-CRYPT hashing.
It already does. As previously stated.
It doesn’t for me. I’m building Dovecot from source (v2.2.24) in a Docker container using Ubuntu 14.04.
Does BLF-CRYPT work for you?
Maybe I’m not building Dovecot correctly. I install libssl-dev and libmysqlclient-dev and do:
$ ./configure --prefix=/usr --sysconfdir=/etc --with-mysql $ make $ make install
Am I missing some library/switch to enable BLF-CRYPT?
I just did a quick Google search, and it appears that Ubuntu 14.04 doesn’t have support for BLF-CRYPT according to this issue:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1349252 <https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1349252>
Actually, now that I’ve researched this a bit more, it was a mistake for my PHP app to make BLF-CRYPT password hashes since SHA512-CRYPT with a high number of rounds should be just as good. If Ubuntu 16.04 didn't add support for BLF-CRYPT, I guess I will have to implement a Checkpassword script for Dovecot that might generate SHA512-CRYPT replacement hashes after successfully checking against the BLF-CRYPT hashes. I’m no Dovecot expert, but I think I can have multiple passdbs so the first passdb mysql lookup will be set to fail if it finds a BLF-CRYPT hash so the Checkpassword script would only be run once per failed mysql lookup.
Hopefully, I just missed some ./configure switch to enable BLF-CRYPT and don’t have to deal with converting BLF-CRYPT to SHA512-CRYPT just for Dovecot.
Kevin
Changing your php app will probably be the easiest solution.
Since I’m using Docker, the easiest solution for me is to find a linux distro that can run Dovecot well and supports BLF-CRYPT as well.
What Linux distros support BLF-CRYPT and are well tested and secure?
Am 2016-06-06 um 15:36 schrieb KT Walrus:
Since I’m using Docker, the easiest solution for me is to find a linux distro that can run Dovecot well and supports BLF-CRYPT as well.
What Linux distros support BLF-CRYPT and are well tested and secure?
As you are running Ubuntu 14.04 now - I suppose most all Linux distros are as well tested as this.
For both tested and secure, you may choose openbsd? Dont know if Docker does this though -- nevertheless, I guess docker probably rules out anything secure...
-- peter
I don’t understand your reply. I am running Ubuntu 14.04 in Docker image now, but there is no support for BLF-CRYPT in 14.04.
As for openbsd, Docker images can be based on any Linux distro that is available in the Docker Hub. OpenBSD is not a Linux distro and I would have to run it inside a VM which isn’t acceptable.
See https://hub.docker.com/explore/ <https://hub.docker.com/explore/> for a list of Official Repos that are suitable to use as base images for building Dovecot such as ubuntu, debian, centos, alpine, oraclelinux, opensuse, etc.
I suspect that most glibc crypt() implementations don’t support BLF-CRYPT and that is one reason that PHP includes fallback BLF-CRYPT function so PHP users can generate Blowfish password hashes without worrying whether PHP is running on Linux or not.
Kevin
participants (5)
-
Aki Tuomi
-
Edgar Pettijohn
-
KT Walrus
-
Patrick Domack
-
Peter Chiochetti