[Dovecot] PHP implementation of dovecotpw passwords
I am looking for PHP functions that implement passwords that much the dovecotpw implementation.
I downloaded one from PEAR, Crypt_HMAC, but the passwords it generates look nothing like the dovecotpw passwords, which could be my fault because I know nothing about the field.
Is there a guide or some library that implements them to match dovecotpw?
On Mon, 2007-03-19 at 14:54 +0000, Frank Church wrote:
I am looking for PHP functions that implement passwords that much the dovecotpw implementation.
I downloaded one from PEAR, Crypt_HMAC, but the passwords it generates look nothing like the dovecotpw passwords, which could be my fault because I know nothing about the field.
Is there a guide or some library that implements them to match dovecotpw?
Are there any specific password schemes that you want to use? All the MD5 and SHA1 passwords should be easy to implement.
If you want CRAM-MD5, I'm not aware of any non-C implementation of it. It's not the same as HMAC-MD5 for which there are some libraries.
On 3/19/07, Frank Church voipfc@googlemail.com wrote:
I am looking for PHP functions that implement passwords that much the dovecotpw implementation.
I downloaded one from PEAR, Crypt_HMAC, but the passwords it generates look nothing like the dovecotpw passwords, which could be my fault because I know nothing about the field.
All libraries/utilities I know generate an HMAC-MD5 string (32bytes). Dovecot uses HMAC-MD5-CONTEXTs (64bytes) for CRAM-MD5 authentication.
See also: http://www.dovecot.org/list/dovecot/2006-December/018083.html
Chris
Chris Laif wrote:
On 3/19/07, Frank Church voipfc@googlemail.com wrote:
I am looking for PHP functions that implement passwords that much the dovecotpw implementation.
I downloaded one from PEAR, Crypt_HMAC, but the passwords it generates look nothing like the dovecotpw passwords, which could be my fault because I know nothing about the field.
All libraries/utilities I know generate an HMAC-MD5 string (32bytes). Dovecot uses HMAC-MD5-CONTEXTs (64bytes) for CRAM-MD5 authentication.
See also: http://www.dovecot.org/list/dovecot/2006-December/018083.html
Chris
Here's a chunck of code that might be useful.
<?php if ($_POST["checkpass"]) { $login = $_POST["username"]; $passwd = $_POST["password"]; $newpass = $_POST["newpassword"]; $newpass2 = $_POST["newpassword2"]; list ($user, $domain) = explode('@', $login); $pass_file = "/etc/vmail/shadow.".$domain; // Sanity Checks if ($login == "") { $badInput = 1; } if (!$badInput and ($user == "" or $domain == "")) { echo "<b><font color='red'>Error: Bad Email Address</b></font><br>"; $badInput = 1; } if (!$badInput and ($passwd == "" or $newpass == "")) { echo "<b><font color='red'>Error: Password Missing</b></font><br>"; $badInput = 1; } if (!$badInput and strlen($newpass) < 6) { echo "<b><font color='red'>Error: Password must be at least 6 characters</b></font><br>"; $badInput = 1; } if ($newpass != $newpass2) { echo "<b><font color='red'>Error: New Passwords Don't Match</b></font><br>"; $badInput = 1; } if (!$badInput) { $fp = fopen( $pass_file, "r" ); if ($fp == false) { echo "<b><font color='red'>Error: Domain ".$domain." Doesn't Exist</b></font><br>"; } else { while ( !feof( $fp ) ) { $line = trim( fgets( $fp, 1000 ) ); list( $f_user, $f_password, $f_last_password_changed, $two, $three, $four, $five, $six ) = explode( ':', $line ); if ($f_user == $user) { $userFound = 1; if ( substr($f_password, 0, 1) == "$" ) { $seed = substr($f_password, 0, 12); $epassword = substr($f_password, 12, strlen($f_password)); $epassword = $seed.$epassword; $npassword = crypt($passwd, $seed); } else { $seed = substr($f_password, 0, 2); $epassword = substr($f_password, 2, strlen($f_password)); $epassword = $seed.$epassword; $npassword = crypt($passwd, $seed); } if ($npassword == $epassword) { $success = 1; for ($n = 0; $n < 9; $n++) { $s .= chr(rand(64,126)); } $seed = "$1$".$s."$"; $line = $f_user.":".crypt($_POST["newpassword"], $seed).":".floor(time()/86400).":".$two.":".$three.":".$four.":".$five.":".$six.":"; } else { echo "<b><font color='red'>Error: Wrong Password</b></font><br>"; } } if ($line > "") { $write .= $line."\n"; } } } fclose($fp); if ($success) { $fp = fopen( $pass_file, "w" ); fwrite($fp, $write); fclose($fp); echo "<b><font color='Blue'>Password Change Succeeded</font></b><br>"; } if (!$userFound) { echo "<b><font color='red'>Error: Invalid Email Address</font></b><br>"; } } }
On 19/03/07, Frank Church voipfc@googlemail.com wrote:
I am looking for PHP functions that implement passwords that much the dovecotpw implementation.
I downloaded one from PEAR, Crypt_HMAC, but the passwords it generates look nothing like the dovecotpw passwords, which could be my fault because I know nothing about the field.
Is there a guide or some library that implements them to match dovecotpw?
After some further experimenting and checking the logs I managed to discover the problem. Setting the default_pass_scheme in /etc/dovecot/sql.conf fixed the problem
Apparently the password scheme used by PostfixAdmin is the MD5-CRYPT type, but I suspect there could be still some issues with password comparision generation in some of its other modules
/etc/dovecot/sql.conf
default_pass_scheme = MD5-CRYPT
participants (4)
-
Chris Laif
-
Frank Church
-
Marc Perkel
-
Timo Sirainen