[Dovecot] salted passwords

Tue Feb 16 21:47:27 EET 2010

Why not make it easy on yourself. Just let dovecot use crypt, and use  
whatever format your system crypt supports.

Personally I'm using 16byte salt, sha512 for mine this way. Seems  
should work with everything, that lets you use the system's crypt.

Quoting Leonardo Rodrigues <leolistas at solutti.com.br>:

> Em 14/02/2010 04:53, tomas at tuxteam.de escreveu:
>>
>> No, just let Dovecot's algorithm do the generation (and later checking)
>> of the password? (I might be misunderstanding your problem, though).
>>
>
>
>     unfortunelly i cant do that. I have my own accounts admin  
> system, written in PHP, which does mail management (creating  
> accounts, changing passwords) ... so i'm afraid i'll have to know  
> exactly how to generate them in a way dovecot is able to handle too.
>
>     from sources on src/auth i can find some interesting informations:
>
> /* format: <SHA1 hash><salt> */
>
> and
>
> #define SSHA256_SALT_LEN 4
>
> so the salt really seems to be 4-byte (which in fact are 8 when  
> watching in hexadecimal), the exact difference on dovecotpw  
> non-salted and salted generated passwords.
>
> So it would be enough to generate the password, SHA256 salted, and  
> store the salt as the last 8 hexadecimal digits ?
>
> SHA256 hash is 64-characteres in hexadecimal, which can be base64  
> encoded for being stored shorter.
> SHA256 salt is 8-characters in hexadecimal, which should be added to  
> the end of the SHA256 hash
>
> so stored password would be:
>
> {SSHA256.hex}GENERATEDSALTEDHASH+GENERATEDSALT
>
> or having the GENERATEDSALTEDHASH+GENERATEDSALT base64 encoded and stored as:
>
> {SSHA256.b64}BASE64ENCODEDGENERATEDSALTEDHASH+GENERATEDSALT
>
> is that OK ?
>
> -- 
>
>
> 	Atenciosamente / Sincerily,
> 	Leonardo Rodrigues
> 	Solutti Tecnologia
> 	http://www.solutti.com.br
>
> 	Minha armadilha de SPAM, NÃO mandem email
> 	gertrudes at solutti.com.br
> 	My SPAMTRAP, do not email it
>
>
>
>
>
>