[Dovecot] salted passwords

Leonardo Rodrigues leolistas at solutti.com.br
Mon Feb 15 19:42:35 EET 2010


Em 14/02/2010 04:53, tomas at tuxteam.de escreveu:
>
> No, just let Dovecot's algorithm do the generation (and later checking)
> of the password? (I might be misunderstanding your problem, though).
>    


     unfortunelly i cant do that. I have my own accounts admin system, 
written in PHP, which does mail management (creating accounts, changing 
passwords) ... so i'm afraid i'll have to know exactly how to generate 
them in a way dovecot is able to handle too.

     from sources on src/auth i can find some interesting informations:

/* format: <SHA1 hash><salt> */

and

#define SSHA256_SALT_LEN 4

so the salt really seems to be 4-byte (which in fact are 8 when watching 
in hexadecimal), the exact difference on dovecotpw non-salted and salted 
generated passwords.

So it would be enough to generate the password, SHA256 salted, and store 
the salt as the last 8 hexadecimal digits ?

SHA256 hash is 64-characteres in hexadecimal, which can be base64 
encoded for being stored shorter.
SHA256 salt is 8-characters in hexadecimal, which should be added to the 
end of the SHA256 hash

so stored password would be:

{SSHA256.hex}GENERATEDSALTEDHASH+GENERATEDSALT

or having the GENERATEDSALTEDHASH+GENERATEDSALT base64 encoded and 
stored as:

{SSHA256.b64}BASE64ENCODEDGENERATEDSALTEDHASH+GENERATEDSALT

is that OK ?

-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes at solutti.com.br
	My SPAMTRAP, do not email it






More information about the dovecot mailing list