[Dovecot] CRYPT scheme and 8 character limit
Phil Howard
ttiphil at gmail.com
Fri May 7 22:52:03 EEST 2010
On Fri, May 7, 2010 at 15:11, Pascal Volk <
user+dovecot at localhost.localdomain.org<user%2Bdovecot at localhost.localdomain.org>
> wrote:
> On 05/07/2010 08:16 PM Phil Howard wrote:
> > I've decided that having users supply cleartext passwords for me to
> encrypt
> > and encode is a bad idea, anyway. So maybe I won't need dovecotpw. The
> > idea is that users supply an already-encrypted password. Most of the
> users
> > can fetch their login password from /etc/shadow on their own computer.
> >
> > Wiki page http://wiki.dovecot.org/Authentication/PasswordSchemesindicates
> > that scheme name CRYPT is the one that uses the libc crypt() function.
> But
> > it also says it uses no more than 8 characters. Then there is MD5-CRYPT.
> > But that doesn't call crypt(), I presume. No limit on password size is
> > indicated. But this at least looks like SOME of the encrypted passwords
> I
> > have.
> >
> > Other passwords I have have ids indicating SHA-256 and SHA-512. Here is
> an
> > example from /etc/shadow that encrypted the clear password
> > "dovecotandpostfix" (in case it is necessary to test it):
> >
> >
> $6$IwZzpjjj$p1VrkxQmgmTED8iQnQrV3sVEZpBmw2N8oD1ykOguXB5tf8aahICesX0TF6.VMThIW2QFs1buHjT3eDtnaAFhF1
> >
> > The big question is, what scheme name should I use for these passwords?
> I
> > can, of course, consider the id (6 in the above example, suggesting
> SHA-512)
> > if there is one (so far all are like this). But the other consideration
> is
> > most of the passwords are longer than 8, some longer than 12, characters.
> > So apparently CRYPT can't be used in those cases (so I can't have the
> > automatic identification of crypt() to detect the scheme).
> >
> > What scheme would I use for the various passwords? What scheme would be
> > used for the above example for starters? What if the id is 5 or 1 (the
> ones
> > documented for the crypt() call)?
> >
>
> {CRYPT}, for SHA-256 and SHA-512. If your {,g}libc supports it, Dovecot
> can use it.
>
Is there another scheme name for it I can use that will still do those
without the 8 character limit? I want the users to use their full passwords
even with this scheme (or at least one like it). I know crypt() doesn't
have an 8 character limit, so a scheme that doesn't have such a limit, and
uses crypt(), I would think should work.
More information about the dovecot
mailing list