[Dovecot] CRYPT scheme and 8 character limit

Phil Howard ttiphil at gmail.com
Fri May 7 23:58:27 EEST 2010


On Fri, May 7, 2010 at 15:11, Pascal Volk <
user+dovecot at localhost.localdomain.org<user%2Bdovecot at localhost.localdomain.org>
> wrote:

> On 05/07/2010 08:16 PM Phil Howard wrote:
> > I've decided that having users supply cleartext passwords for me to
> encrypt
> > and encode is a bad idea, anyway.  So maybe I won't need dovecotpw.  The
> > idea is that users supply an already-encrypted password.  Most of the
> users
> > can fetch their login password from /etc/shadow on their own computer.
> >
> > Wiki page http://wiki.dovecot.org/Authentication/PasswordSchemesindicates
> > that scheme name CRYPT is the one that uses the libc crypt() function.
>  But
> > it also says it uses no more than 8 characters.  Then there is MD5-CRYPT.
> > But that doesn't call crypt(), I presume.  No limit on password size is
> > indicated.  But this at least looks like SOME of the encrypted passwords
> I
> > have.
> >
> > Other passwords I have have ids indicating SHA-256 and SHA-512.  Here is
> an
> > example from /etc/shadow that encrypted the clear password
> > "dovecotandpostfix" (in case it is necessary to test it):
> >
> >
> $6$IwZzpjjj$p1VrkxQmgmTED8iQnQrV3sVEZpBmw2N8oD1ykOguXB5tf8aahICesX0TF6.VMThIW2QFs1buHjT3eDtnaAFhF1
> >
> > The big question is, what scheme name should I use for these passwords?
>  I
> > can, of course, consider the id (6 in the above example, suggesting
> SHA-512)
> > if there is one (so far all are like this).  But the other consideration
> is
> > most of the passwords are longer than 8, some longer than 12, characters.
> > So apparently CRYPT can't be used in those cases (so I can't have the
> > automatic identification of crypt() to detect the scheme).
> >
> > What scheme would I use for the various passwords?  What scheme would be
> > used for the above example for starters?  What if the id is 5 or 1 (the
> ones
> > documented for the crypt() call)?
> >
>
> {CRYPT}, for SHA-256 and SHA-512. If your {,g}libc supports it, Dovecot
> can use it.
>

OK, I looked in the source code and I cannot find any 8 character limit.  So
I'm now guessing that the documentation was really referring to the legacy
algorithm in crypt(), instead of the CRYPT scheme interface to it in
Dovecot.


More information about the dovecot mailing list