Re: Blowfish hashed passwords

newer
Can't delete emails from or write...

older
Update Kills Dovecot

KT Walrus

3 Jun 2016 3 Jun '16

3:14 p.m.

(I subscribed to a daily digest for this list and can’t figure out how to reply to a reply.)

Anyway, Aki Tuomi replied to my feature request saying:

...

We support in latest 2.2 release

MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA CRYPT SHA256-CRYPT SHA512-CRYPT

There is also blowfish support as BLF-CRYPT, but that requires that your system supports it. CRYPT supports whatever your crypt() supports.

The reason I suggest building in fallback hash type support is that my install of Dovecot on Ubuntu 14.04 didn’t support SHA512-CRYPT or BLF-CRYPT.

If Dovecot just included the PHP .c files to make sure it can process Blowfish/SHA512 password hashes on all installs, it would greatly simplify adding Dovecot as a service for my existing user accounts (without forcing them to give their password for the site so I can generate new hashes in a form that Dovecot supports). SHA256-CRYPT is probably my best option for password hashing since it supports ROUNDS to make hash generation slower. But, I would rather use BLF-CRYPT so I can re-use my existing hashes for my user accounts.

Kevin

Show replies by date

Aki Tuomi

3 Jun 3 Jun

3:19 p.m.

New subject: Blowfish hashed passwords

On 03.06.2016 15:14, KT Walrus wrote:

...

(I subscribed to a daily digest for this list and can’t figure out how to reply to a reply.)

Anyway, Aki Tuomi replied to my feature request saying:

...
We support in latest 2.2 release

MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA CRYPT SHA256-CRYPT SHA512-CRYPT

There is also blowfish support as BLF-CRYPT, but that requires that your system supports it. CRYPT supports whatever your crypt() supports.

The reason I suggest building in fallback hash type support is that my install of Dovecot on Ubuntu 14.04 didn’t support SHA512-CRYPT or BLF-CRYPT.

If Dovecot just included the PHP .c files to make sure it can process Blowfish/SHA512 password hashes on all installs, it would greatly simplify adding Dovecot as a service for my existing user accounts (without forcing them to give their password for the site so I can generate new hashes in a form that Dovecot supports). SHA256-CRYPT is probably my best option for password hashing since it supports ROUNDS to make hash generation slower. But, I would rather use BLF-CRYPT so I can re-use my existing hashes for my user accounts.

Kevin Unfortunately "just including" files from another project is not that straightforward. We can see if we could add BLF-CRYPT support to core even if system does not support it.

Aki

Patrick Domack

4 Jun 4 Jun

4:53 p.m.

New subject: Blowfish hashed passwords

Quoting KT Walrus kevin@my.walr.us:

...

(I subscribed to a daily digest for this list and can’t figure out
how to reply to a reply.)

Anyway, Aki Tuomi replied to my feature request saying:

...
We support in latest 2.2 release

MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA CRYPT SHA256-CRYPT SHA512-CRYPT

There is also blowfish support as BLF-CRYPT, but that requires that your system supports it. CRYPT supports whatever your crypt() supports.

The reason I suggest building in fallback hash type support is that
my install of Dovecot on Ubuntu 14.04 didn’t support SHA512-CRYPT or
BLF-CRYPT.

If Dovecot just included the PHP .c files to make sure it can
process Blowfish/SHA512 password hashes on all installs, it would
greatly simplify adding Dovecot as a service for my existing user
accounts (without forcing them to give their password for the site
so I can generate new hashes in a form that Dovecot supports).
SHA256-CRYPT is probably my best option for password hashing since
it supports ROUNDS to make hash generation slower. But, I would
rather use BLF-CRYPT so I can re-use my existing hashes for my user
accounts.

I would love to know why your ubuntu 14.04 system doesn't support
sha512-crypt.

My dovecot installs have only ever used sha512-crypt since 2008. Been
using ubuntu since 7.04 with sha512-crypt, and my current systems
running 14.04 and 16.04 both use sha512-crypt.

The default password hash for system user accounts in ubuntu has been
sha512-crypt for a very long time now.

KT Walrus

6 Jun 6 Jun

2:16 a.m.

New subject: Blowfish hashed passwords

...

I would love to know why your ubuntu 14.04 system doesn't support sha512-crypt.

I just tried SHA512-CRYPT and it is supported on Ubuntu 14.04. I think I was thinking about DBMail instead of Dovecot.

I could really use support for BLF-CRYPT since my current password hashes generated by PHP are using Blowfish encryption.

Maybe, Dovecot could just add support for BLF-CRYPT by using the open source implementation of Blowfish hashing found in https://github.com/php/php-src/tree/master/ext/standard https://github.com/php/php-src/tree/master/ext/standard. The implementation looks like a single function to generate the hash. I’m not much of a programmer, but it would seem to me that these .c/.h files could be added to Dovecot for doing BLF-CRYPT hashing.

This would mean all installations of Dovecot going forward would support BLF-CRYPT regardless of whether the crypt libraries have Blowfish built in.

Kevin

...

On Jun 4, 2016, at 9:53 AM, Patrick Domack patrickdk@patrickdk.com wrote:

Quoting KT Walrus mailto:kevin@my.walr.us>:

...
(I subscribed to a daily digest for this list and can’t figure out how to reply to a reply.)

Anyway, Aki Tuomi replied to my feature request saying:

...
We support in latest 2.2 release

MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA CRYPT SHA256-CRYPT SHA512-CRYPT

There is also blowfish support as BLF-CRYPT, but that requires that your system supports it. CRYPT supports whatever your crypt() supports.

The reason I suggest building in fallback hash type support is that my install of Dovecot on Ubuntu 14.04 didn’t support SHA512-CRYPT or BLF-CRYPT.

If Dovecot just included the PHP .c files to make sure it can process Blowfish/SHA512 password hashes on all installs, it would greatly simplify adding Dovecot as a service for my existing user accounts (without forcing them to give their password for the site so I can generate new hashes in a form that Dovecot supports). SHA256-CRYPT is probably my best option for password hashing since it supports ROUNDS to make hash generation slower. But, I would rather use BLF-CRYPT so I can re-use my existing hashes for my user accounts.

I would love to know why your ubuntu 14.04 system doesn't support sha512-crypt.

My dovecot installs have only ever used sha512-crypt since 2008. Been using ubuntu since 7.04 with sha512-crypt, and my current systems running 14.04 and 16.04 both use sha512-crypt.

The default password hash for system user accounts in ubuntu has been sha512-crypt for a very long time now.

Edgar Pettijohn

2:43 a.m.

New subject: Blowfish hashed passwords

Sent from my iPhone

On Jun 5, 2016, at 6:16 PM, KT Walrus kevin@my.walr.us wrote:

...

...
I would love to know why your ubuntu 14.04 system doesn't support sha512-crypt.

I just tried SHA512-CRYPT and it is supported on Ubuntu 14.04. I think I was thinking about DBMail instead of Dovecot.

I could really use support for BLF-CRYPT since my current password hashes generated by PHP are using Blowfish encryption.

Maybe, Dovecot could just add support for BLF-CRYPT by using the open source implementation of Blowfish hashing found in https://github.com/php/php-src/tree/master/ext/standard https://github.com/php/php-src/tree/master/ext/standard. The implementation looks like a single function to generate the hash. I’m not much of a programmer, but it would seem to me that these .c/.h files could be added to Dovecot for doing BLF-CRYPT hashing.

It already does. As previously stated.

...

This would mean all installations of Dovecot going forward would support BLF-CRYPT regardless of whether the crypt libraries have Blowfish built in.

Kevin

...
On Jun 4, 2016, at 9:53 AM, Patrick Domack patrickdk@patrickdk.com wrote:

Quoting KT Walrus mailto:kevin@my.walr.us>:

...
(I subscribed to a daily digest for this list and can’t figure out how to reply to a reply.)

Anyway, Aki Tuomi replied to my feature request saying:

...
We support in latest 2.2 release

MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA CRYPT SHA256-CRYPT SHA512-CRYPT

There is also blowfish support as BLF-CRYPT, but that requires that your system supports it. CRYPT supports whatever your crypt() supports.

The reason I suggest building in fallback hash type support is that my install of Dovecot on Ubuntu 14.04 didn’t support SHA512-CRYPT or BLF-CRYPT.

If Dovecot just included the PHP .c files to make sure it can process Blowfish/SHA512 password hashes on all installs, it would greatly simplify adding Dovecot as a service for my existing user accounts (without forcing them to give their password for the site so I can generate new hashes in a form that Dovecot supports). SHA256-CRYPT is probably my best option for password hashing since it supports ROUNDS to make hash generation slower. But, I would rather use BLF-CRYPT so I can re-use my existing hashes for my user accounts.

I would love to know why your ubuntu 14.04 system doesn't support sha512-crypt.

My dovecot installs have only ever used sha512-crypt since 2008. Been using ubuntu since 7.04 with sha512-crypt, and my current systems running 14.04 and 16.04 both use sha512-crypt.

The default password hash for system user accounts in ubuntu has been sha512-crypt for a very long time now.

KT Walrus

3:36 a.m.

New subject: Blowfish hashed passwords

...

...
Maybe, Dovecot could just add support for BLF-CRYPT by using the open source implementation of Blowfish hashing found in https://github.com/php/php-src/tree/master/ext/standard https://github.com/php/php-src/tree/master/ext/standard. The implementation looks like a single function to generate the hash. I’m not much of a programmer, but it would seem to me that these .c/.h files could be added to Dovecot for doing BLF-CRYPT hashing.

It already does. As previously stated.

It doesn’t for me. I’m building Dovecot from source (v2.2.24) in a Docker container using Ubuntu 14.04.

Does BLF-CRYPT work for you?

Maybe I’m not building Dovecot correctly. I install libssl-dev and libmysqlclient-dev and do:

$ ./configure --prefix=/usr --sysconfdir=/etc --with-mysql $ make $ make install

Am I missing some library/switch to enable BLF-CRYPT?

I just did a quick Google search, and it appears that Ubuntu 14.04 doesn’t have support for BLF-CRYPT according to this issue:

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1349252 https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1349252

Actually, now that I’ve researched this a bit more, it was a mistake for my PHP app to make BLF-CRYPT password hashes since SHA512-CRYPT with a high number of rounds should be just as good. If Ubuntu 16.04 didn't add support for BLF-CRYPT, I guess I will have to implement a Checkpassword script for Dovecot that might generate SHA512-CRYPT replacement hashes after successfully checking against the BLF-CRYPT hashes. I’m no Dovecot expert, but I think I can have multiple passdbs so the first passdb mysql lookup will be set to fail if it finds a BLF-CRYPT hash so the Checkpassword script would only be run once per failed mysql lookup.

Hopefully, I just missed some ./configure switch to enable BLF-CRYPT and don’t have to deal with converting BLF-CRYPT to SHA512-CRYPT just for Dovecot.

Kevin

...

On Jun 5, 2016, at 7:43 PM, Edgar Pettijohn edgar@pettijohn-web.com wrote:

Sent from my iPhone

On Jun 5, 2016, at 6:16 PM, KT Walrus kevin@my.walr.us wrote:

...
...
I would love to know why your ubuntu 14.04 system doesn't support sha512-crypt.

I just tried SHA512-CRYPT and it is supported on Ubuntu 14.04. I think I was thinking about DBMail instead of Dovecot.

I could really use support for BLF-CRYPT since my current password hashes generated by PHP are using Blowfish encryption.

Maybe, Dovecot could just add support for BLF-CRYPT by using the open source implementation of Blowfish hashing found in https://github.com/php/php-src/tree/master/ext/standard https://github.com/php/php-src/tree/master/ext/standard. The implementation looks like a single function to generate the hash. I’m not much of a programmer, but it would seem to me that these .c/.h files could be added to Dovecot for doing BLF-CRYPT hashing.

It already does. As previously stated.

...
This would mean all installations of Dovecot going forward would support BLF-CRYPT regardless of whether the crypt libraries have Blowfish built in.

Kevin

...
On Jun 4, 2016, at 9:53 AM, Patrick Domack patrickdk@patrickdk.com wrote:

Quoting KT Walrus mailto:kevin@my.walr.us>:

...
(I subscribed to a daily digest for this list and can’t figure out how to reply to a reply.)

Anyway, Aki Tuomi replied to my feature request saying:

...
We support in latest 2.2 release

MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA CRYPT SHA256-CRYPT SHA512-CRYPT

There is also blowfish support as BLF-CRYPT, but that requires that your system supports it. CRYPT supports whatever your crypt() supports.

The reason I suggest building in fallback hash type support is that my install of Dovecot on Ubuntu 14.04 didn’t support SHA512-CRYPT or BLF-CRYPT.

If Dovecot just included the PHP .c files to make sure it can process Blowfish/SHA512 password hashes on all installs, it would greatly simplify adding Dovecot as a service for my existing user accounts (without forcing them to give their password for the site so I can generate new hashes in a form that Dovecot supports). SHA256-CRYPT is probably my best option for password hashing since it supports ROUNDS to make hash generation slower. But, I would rather use BLF-CRYPT so I can re-use my existing hashes for my user accounts.

I would love to know why your ubuntu 14.04 system doesn't support sha512-crypt.

My dovecot installs have only ever used sha512-crypt since 2008. Been using ubuntu since 7.04 with sha512-crypt, and my current systems running 14.04 and 16.04 both use sha512-crypt.

The default password hash for system user accounts in ubuntu has been sha512-crypt for a very long time now.

Edgar Pettijohn

3:54 a.m.

New subject: Blowfish hashed passwords

On 16-06-05 20:36:35, KT Walrus wrote:

...

...
...
Maybe, Dovecot could just add support for BLF-CRYPT by using the open source implementation of Blowfish hashing found in https://github.com/php/php-src/tree/master/ext/standard https://github.com/php/php-src/tree/master/ext/standard. The implementation looks like a single function to generate the hash. I???m not much of a programmer, but it would seem to me that these .c/.h files could be added to Dovecot for doing BLF-CRYPT hashing.

It already does. As previously stated.

It doesn???t for me. I???m building Dovecot from source (v2.2.24) in a Docker container using Ubuntu 14.04.

Does BLF-CRYPT work for you?

Yes, but I don't use ubuntu.

...

Maybe I???m not building Dovecot correctly. I install libssl-dev and libmysqlclient-dev and do:

$ ./configure --prefix=/usr --sysconfdir=/etc --with-mysql $ make $ make install

Am I missing some library/switch to enable BLF-CRYPT?

Does your libc support it?

$ man crypt || $ man bcrypt

...

I just did a quick Google search, and it appears that Ubuntu 14.04 doesn???t have support for BLF-CRYPT according to this issue:

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1349252 https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1349252

Actually, now that I???ve researched this a bit more, it was a mistake for my PHP app to make BLF-CRYPT password hashes since SHA512-CRYPT with a high number of rounds should be just as good. If Ubuntu 16.04 didn't add support for BLF-CRYPT, I guess I will have to implement a Checkpassword script for Dovecot that might generate SHA512-CRYPT replacement hashes after successfully checking against the BLF-CRYPT hashes. I???m no Dovecot expert, but I think I can have multiple passdbs so the first passdb mysql lookup will be set to fail if it finds a BLF-CRYPT hash so the Checkpassword script would only be run once per failed mysql lookup.

Changing your php app will probably be the easiest solution.

...

Hopefully, I just missed some ./configure switch to enable BLF-CRYPT and don???t have to deal with converting BLF-CRYPT to SHA512-CRYPT just for Dovecot.

Kevin

...
On Jun 5, 2016, at 7:43 PM, Edgar Pettijohn edgar@pettijohn-web.com wrote:

Sent from my iPhone

On Jun 5, 2016, at 6:16 PM, KT Walrus kevin@my.walr.us wrote:

...
...
I would love to know why your ubuntu 14.04 system doesn't support sha512-crypt.

I just tried SHA512-CRYPT and it is supported on Ubuntu 14.04. I think I was thinking about DBMail instead of Dovecot.

I could really use support for BLF-CRYPT since my current password hashes generated by PHP are using Blowfish encryption.

Maybe, Dovecot could just add support for BLF-CRYPT by using the open source implementation of Blowfish hashing found in https://github.com/php/php-src/tree/master/ext/standard https://github.com/php/php-src/tree/master/ext/standard. The implementation looks like a single function to generate the hash. I???m not much of a programmer, but it would seem to me that these .c/.h files could be added to Dovecot for doing BLF-CRYPT hashing.

It already does. As previously stated.

...
This would mean all installations of Dovecot going forward would support BLF-CRYPT regardless of whether the crypt libraries have Blowfish built in.

Kevin

...
On Jun 4, 2016, at 9:53 AM, Patrick Domack patrickdk@patrickdk.com wrote:

Quoting KT Walrus mailto:kevin@my.walr.us>:

...
(I subscribed to a daily digest for this list and can???t figure out how to reply to a reply.)

Anyway, Aki Tuomi replied to my feature request saying:

...
We support in latest 2.2 release

MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA CRYPT SHA256-CRYPT SHA512-CRYPT

There is also blowfish support as BLF-CRYPT, but that requires that your system supports it. CRYPT supports whatever your crypt() supports.

The reason I suggest building in fallback hash type support is that my install of Dovecot on Ubuntu 14.04 didn???t support SHA512-CRYPT or BLF-CRYPT.

If Dovecot just included the PHP .c files to make sure it can process Blowfish/SHA512 password hashes on all installs, it would greatly simplify adding Dovecot as a service for my existing user accounts (without forcing them to give their password for the site so I can generate new hashes in a form that Dovecot supports). SHA256-CRYPT is probably my best option for password hashing since it supports ROUNDS to make hash generation slower. But, I would rather use BLF-CRYPT so I can re-use my existing hashes for my user accounts.

I would love to know why your ubuntu 14.04 system doesn't support sha512-crypt.

My dovecot installs have only ever used sha512-crypt since 2008. Been using ubuntu since 7.04 with sha512-crypt, and my current systems running 14.04 and 16.04 both use sha512-crypt.

The default password hash for system user accounts in ubuntu has been sha512-crypt for a very long time now.

-- Edgar Pettijohn

KT Walrus

4:36 p.m.

New subject: Blowfish hashed passwords

...

Changing your php app will probably be the easiest solution.

Since I’m using Docker, the easiest solution for me is to find a linux distro that can run Dovecot well and supports BLF-CRYPT as well.

What Linux distros support BLF-CRYPT and are well tested and secure?

...

On Jun 5, 2016, at 8:54 PM, Edgar Pettijohn edgar@pettijohn-web.com wrote:

On 16-06-05 20:36:35, KT Walrus wrote:

...
...
...
Maybe, Dovecot could just add support for BLF-CRYPT by using the open source implementation of Blowfish hashing found in https://github.com/php/php-src/tree/master/ext/standard https://github.com/php/php-src/tree/master/ext/standard. The implementation looks like a single function to generate the hash. I???m not much of a programmer, but it would seem to me that these .c/.h files could be added to Dovecot for doing BLF-CRYPT hashing.

It already does. As previously stated.

It doesn???t for me. I???m building Dovecot from source (v2.2.24) in a Docker container using Ubuntu 14.04.

Does BLF-CRYPT work for you?

Yes, but I don't use ubuntu.

...
Maybe I???m not building Dovecot correctly. I install libssl-dev and libmysqlclient-dev and do:

$ ./configure --prefix=/usr --sysconfdir=/etc --with-mysql $ make $ make install

Am I missing some library/switch to enable BLF-CRYPT?

Does your libc support it?

$ man crypt || $ man bcrypt

...
I just did a quick Google search, and it appears that Ubuntu 14.04 doesn???t have support for BLF-CRYPT according to this issue:

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1349252 https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1349252 <https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1349252 https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1349252>

Actually, now that I???ve researched this a bit more, it was a mistake for my PHP app to make BLF-CRYPT password hashes since SHA512-CRYPT with a high number of rounds should be just as good. If Ubuntu 16.04 didn't add support for BLF-CRYPT, I guess I will have to implement a Checkpassword script for Dovecot that might generate SHA512-CRYPT replacement hashes after successfully checking against the BLF-CRYPT hashes. I???m no Dovecot expert, but I think I can have multiple passdbs so the first passdb mysql lookup will be set to fail if it finds a BLF-CRYPT hash so the Checkpassword script would only be run once per failed mysql lookup.

Changing your php app will probably be the easiest solution.

...
Hopefully, I just missed some ./configure switch to enable BLF-CRYPT and don???t have to deal with converting BLF-CRYPT to SHA512-CRYPT just for Dovecot.

Kevin

...
On Jun 5, 2016, at 7:43 PM, Edgar Pettijohn edgar@pettijohn-web.com wrote:

Sent from my iPhone

On Jun 5, 2016, at 6:16 PM, KT Walrus kevin@my.walr.us wrote:

...
...
I would love to know why your ubuntu 14.04 system doesn't support sha512-crypt.

I just tried SHA512-CRYPT and it is supported on Ubuntu 14.04. I think I was thinking about DBMail instead of Dovecot.

I could really use support for BLF-CRYPT since my current password hashes generated by PHP are using Blowfish encryption.

Maybe, Dovecot could just add support for BLF-CRYPT by using the open source implementation of Blowfish hashing found in https://github.com/php/php-src/tree/master/ext/standard https://github.com/php/php-src/tree/master/ext/standard. The implementation looks like a single function to generate the hash. I???m not much of a programmer, but it would seem to me that these .c/.h files could be added to Dovecot for doing BLF-CRYPT hashing.

It already does. As previously stated.

...
This would mean all installations of Dovecot going forward would support BLF-CRYPT regardless of whether the crypt libraries have Blowfish built in.

Kevin

...
On Jun 4, 2016, at 9:53 AM, Patrick Domack patrickdk@patrickdk.com wrote:

Quoting KT Walrus mailto:kevin@my.walr.us>:

...
(I subscribed to a daily digest for this list and can???t figure out how to reply to a reply.)

Anyway, Aki Tuomi replied to my feature request saying:

> We support in latest 2.2 release > > MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN > CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 > PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA CRYPT SHA256-CRYPT > SHA512-CRYPT > > There is also blowfish support as BLF-CRYPT, but that requires that your > system supports it. CRYPT supports whatever your crypt() supports.

The reason I suggest building in fallback hash type support is that my install of Dovecot on Ubuntu 14.04 didn???t support SHA512-CRYPT or BLF-CRYPT.

If Dovecot just included the PHP .c files to make sure it can process Blowfish/SHA512 password hashes on all installs, it would greatly simplify adding Dovecot as a service for my existing user accounts (without forcing them to give their password for the site so I can generate new hashes in a form that Dovecot supports). SHA256-CRYPT is probably my best option for password hashing since it supports ROUNDS to make hash generation slower. But, I would rather use BLF-CRYPT so I can re-use my existing hashes for my user accounts.

I would love to know why your ubuntu 14.04 system doesn't support sha512-crypt.

My dovecot installs have only ever used sha512-crypt since 2008. Been using ubuntu since 7.04 with sha512-crypt, and my current systems running 14.04 and 16.04 both use sha512-crypt.

The default password hash for system user accounts in ubuntu has been sha512-crypt for a very long time now.

-- Edgar Pettijohn

Peter Chiochetti

7 Jun 7 Jun

2:17 a.m.

New subject: Blowfish hashed passwords

Am 2016-06-06 um 15:36 schrieb KT Walrus:

...

Since I’m using Docker, the easiest solution for me is to find a linux distro that can run Dovecot well and supports BLF-CRYPT as well.

What Linux distros support BLF-CRYPT and are well tested and secure?

As you are running Ubuntu 14.04 now - I suppose most all Linux distros are as well tested as this.

For both tested and secure, you may choose openbsd? Dont know if Docker does this though -- nevertheless, I guess docker probably rules out anything secure...

-- peter

KT Walrus

4:03 a.m.

New subject: Blowfish hashed passwords

I don’t understand your reply. I am running Ubuntu 14.04 in Docker image now, but there is no support for BLF-CRYPT in 14.04.

As for openbsd, Docker images can be based on any Linux distro that is available in the Docker Hub. OpenBSD is not a Linux distro and I would have to run it inside a VM which isn’t acceptable.

See https://hub.docker.com/explore/ https://hub.docker.com/explore/ for a list of Official Repos that are suitable to use as base images for building Dovecot such as ubuntu, debian, centos, alpine, oraclelinux, opensuse, etc.

I suspect that most glibc crypt() implementations don’t support BLF-CRYPT and that is one reason that PHP includes fallback BLF-CRYPT function so PHP users can generate Blowfish password hashes without worrying whether PHP is running on Linux or not.

Kevin

...

On Jun 6, 2016, at 7:17 PM, Peter Chiochetti pch@myzel.net wrote:

Am 2016-06-06 um 15:36 schrieb KT Walrus:

...
Since I’m using Docker, the easiest solution for me is to find a linux distro that can run Dovecot well and supports BLF-CRYPT as well.

What Linux distros support BLF-CRYPT and are well tested and secure?

As you are running Ubuntu 14.04 now - I suppose most all Linux distros are as well tested as this.

For both tested and secure, you may choose openbsd? Dont know if Docker does this though -- nevertheless, I guess docker probably rules out anything secure...

-- peter

3091

Age (days ago)

3095

Last active (days ago)

List overview

9 comments

5 participants

participants (5)

Aki Tuomi
Edgar Pettijohn
KT Walrus
Patrick Domack
Peter Chiochetti