[Dovecot] doveadm password check
Hi,
I want to write some php code that users can change there dovecot password via a roundcube plugin. I'm using php function crypt(...) to generate the hashes and everything works well so far.
I'm using doveadm pw to generate testhashes e.g.:
srv:~ # doveadm pw -r 5 -s BLF-CRYPT -p abc {BLF-CRYPT}$2a$05$W82/Vw4ZEcHBC00M8cNwe.g8fOHuAeV7L5Q/q4W6VWl9V5kjoiz8y
I expected an "ok" when using -t the hash when entering abc as a password, but I got:
srv:~ # doveadm pw -r 5 -s BLF-CRYPT -t \{BLF-CRYPT}$2a$05$W82/Vw4ZEcHBC00M8cNwe.g8fOHuAeV7L5Q/q4W6VWl9V5kjoiz8y Enter password to verify: doveadm(root): Fatal: reverse password verification check failed: Password mismatch
What went wrong?
Kind Regards Thomas
On 3/11/2013 12:20 PM, Thomas Pries wrote:
Hi,
I want to write some php code that users can change there dovecot password via a roundcube plugin. I'm using php function crypt(...) to generate the hashes and everything works well so far.
I'm using doveadm pw to generate testhashes e.g.:
srv:~ # doveadm pw -r 5 -s BLF-CRYPT -p abc {BLF-CRYPT}$2a$05$W82/Vw4ZEcHBC00M8cNwe.g8fOHuAeV7L5Q/q4W6VWl9V5kjoiz8y
I expected an "ok" when using -t the hash when entering abc as a password, but I got:
srv:~ # doveadm pw -r 5 -s BLF-CRYPT -t \{BLF-CRYPT}$2a$05$W82/Vw4ZEcHBC00M8cNwe.g8fOHuAeV7L5Q/q4W6VWl9V5kjoiz8y Enter password to verify: doveadm(root): Fatal: reverse password verification check failed: Password mismatch
There are several bugs dealing with what you are doing. They are currently in the works and will be fixed in a future release of Dovecot.
Crypt hashes should not have the {...} prefix. The $2a$ is the prefix that specifies the Eksblowfish crypt hash, just like $1$ specifies the MD5 crypt hash. doveadm blindly puts the {...} in front of all hashes, which is a bug. When the program goes to verify the hash, it passes the entire string including the {...} part to crypt, which fails, since it does not know what to do with it.
The Eksblowfish hash (the $2a$) was originally written on OpenBSD by Niels Provos and David Mazières and was called Bcrypt (Bcrypt is the correct name, not BLF-CRYPT as is used in Dovecot). It was rewritten by Alexander Peslyak. This rewritten version became more popular with Linux distros. This version, however, turned out to have a bug, which Peslyak later fixed, but it means that $2a$ hashes were incompatible based on which library they used: the original OpenBSD, or the buggy Peslyak one. A new hash type, $2y was used to specify the correct hash. Even OpenBSD switched to the new system to maintain compatibility, even though their original libraries were correct.
Depending on whether your Eksblowfish (Bcrypt) libraries have been updated or not, there could be a problem with the $2a$ hash.
First try to remove the {BLF-CRYPT} from your hash. It is not needed, and may be enough for it to verify. If it still does not verify, then you may have an issue with your crypt libraries. You might, then try changing the $2a$ to $2y$ and see if that makes the Eksblowfish libraries happy.
Dem
On 03/11/2013 08:20 PM Thomas Pries wrote:
Hi,
I want to write some php code that users can change there dovecot password via a roundcube plugin. I'm using php function crypt(...) to generate the hashes and everything works well so far.
I'm using doveadm pw to generate testhashes e.g.:
srv:~ # doveadm pw -r 5 -s BLF-CRYPT -p abc {BLF-CRYPT}$2a$05$W82/Vw4ZEcHBC00M8cNwe.g8fOHuAeV7L5Q/q4W6VWl9V5kjoiz8y
I expected an "ok" when using -t the hash when entering abc as a password, but I got:
srv:~ # doveadm pw -r 5 -s BLF-CRYPT -t \{BLF-CRYPT}$2a$05$W82/Vw4ZEcHBC00M8cNwe.g8fOHuAeV7L5Q/q4W6VWl9V5kjoiz8y Enter password to verify: doveadm(root): Fatal: reverse password verification check failed: Password mismatch
What went wrong?
Usage would be: doveadm pw -t '{BLF-CRYPT}$2a$05$W82/Vw4ZEcHBC00M8cNwe.g8fOHuAeV7L5Q/q4W6VWl9V5kjoiz8y'
Your shell expands $2a and $05$W8… to empty strings. Therefore you should single quotes around strings that contains the dollar sign.
Regards, Pascal
The trapper recommends today: cafebabe.1307022@localdomain.org
Hi,
On 11.03.2013 22:41, Pascal Volk wrote:
On 03/11/2013 08:20 PM Thomas Pries wrote:
I expected an "ok" ...
Usage would be: doveadm pw -t '{BLF-CRYPT}$2a$05$W82/Vw4ZEcHBC00M8cNwe.g8fOHuAeV7L5Q/q4W6VWl9V5kjoiz8y'
Your shell expands $2a and $05$W8… to empty strings....
Thanks, sometimes it is hard to see the wood for the trees :-).
participants (3)
-
Pascal Volk
-
Professa Dementia
-
Thomas Pries