Automatic DB password hash scheme selection
Hi all,
Is there a way to get dovecot to recognize arbitrary password hash schemes when looking up a password in a database? I originally set up with #default_pass_scheme = MD5, and I would like to migrate to SHA512.
Seeing as the scheme is actually stored in the password column along with the password in the format $_<scheme#>_$_<salt>_$_<passwordhash>_, it seems to me that dovecot should be able to look at the scheme number and simply do the right thing. If this is possible, then migrating passwords over would be much easier, since people will still be able to log in with their old MD5-hashed password and the changer can be set up to hash with the new method.
Is this possible currently? Thanks,
Kurt
On 08.09.2017 06:16, Kurt Fitzner wrote:
Hi all,
Is there a way to get dovecot to recognize arbitrary password hash schemes when looking up a password in a database? I originally set up with #default_pass_scheme = MD5, and I would like to migrate to SHA512.
Seeing as the scheme is actually stored in the password column along with the password in the format $_<scheme#>_$_<salt>_$_<passwordhash>_, it seems to me that dovecot should be able to look at the scheme number and simply do the right thing. If this is possible, then migrating passwords over would be much easier, since people will still be able to log in with their old MD5-hashed password and the changer can be set up to hash with the new method.
Is this possible currently? Thanks,
Kurt
Hi!
Prefix with {SCHEME}.
Aki
Hi all,
Is there a way to get dovecot to recognize arbitrary password hash schemes when looking up a password in a database? I originally set up with #default_pass_scheme = MD5, and I would like to migrate to SHA512.
Is this possible currently? Thanks,
Kurt
Hi!
Prefix with {SCHEME}.
Hi Aki,
Thanks for the tip. This works, but when implementing it I discovered that just setting the password type generically to 'CRYPT' will let Dovecott use the built-in OS crypt decoding of the scheme number already encoded in the password. It now automatically detects MD5, SHA256, and SHA512. If my Linux distribution supported blowfish it would support that too.
participants (2)
-
Aki Tuomi
-
Kurt Fitzner