[Dovecot] How to manually generate a password hash
Professa Dementia
professa at dementianati.com
Sun Apr 14 13:24:38 EEST 2013
On 4/13/2013 7:10 PM, David Murphy wrote:
> Hi folks. I've recently set up a Postfix 2.9.6/Dovecot 2.0.19 IMAPS/SMTPS setup on Ubuntu 12.04.2 (Mysql backend). I'm new to all this, so I apologize if this is fairly basic. I've attempted to the best of my ability to search for an answer, but no luck so far.
>
> What I'm trying to do is generate a password hash that I can inject directly into my Mysql database (disaster recovery sort of situation). Towards that goal, I'm trying to use 'doveadm pw' to generate a hash that matches a known password in my database. Unfortunately, I'm coming up empty.
>
> My default_pass_scheme in dovecot-sql.conf is set to MD5-CRYPT, and the passwords in the database have no scheme prefixes. I'm attempting to generate a hash with:
>
> sudo doveadm pw -s 'MD5-CRYPT'
>
> but the hash generated does not match the user's password hash in the database, which is known to be a good password. I'm able to log into this account successfully in both Roundcube and a remote IMAP client. I've also tried using the -p flag and including the password in the command, and that doesn't do it either, though it oddly gives a different response than using the prompt. (What causes this? Newlines?)
>
> So... what am I missing? If the hash was salted, it would seem the hashes in the database would be longer than the ones generated at the command line, but that isn't the case. I'm out of ideas. Any guidance appreciated.
>
> -Dave
>
>
1) If your passwords are of the format $1$..., then they are in standard
crypt md5 format. They are salted. The salt is between the second and
third $ and the actual hash follows the third $.
2) The version of Dovecot you are running has several bugs in "doveadm
pw" that you might be encountering. This will prevent you from
verifying the hashes. Some of these have been fixed in the current release.
Try the following command. This should give you a "verified" response
on a patched version of doveadm. (NOTE this command is all on one line,
but may wrap in the email).
doveadm pw -s MD5-CRYPT -p abc123 -t '$1$85P5.CAv$tqx.O2iZwnIZjuMQ7fo6m1'
It should reply:
$1$85P5.CAv$tqx.O2iZwnIZjuMQ7fo6m1 (verified)
Or possibly (depending on the version of dovecot you run):
{MD5-CRYPT}$1$85P5.CAv$tqx.O2iZwnIZjuMQ7fo6m1 (verified)
If you do not get one of the above responses to the test, you should
upgrade, since your doveadm is broken.
To test your hashes, use the above command format substituting your
password after -p and your hash after -t. This is only if your hashes
begin with $1$..., however. If they do not, then they are not in crypt
md5 format and you will need to figure out what format they are.
Once again, however, you need to be running at least 2.1.17, I believe,
or maybe a recent release of 2.2 that has the doveadm patches.
Dem
More information about the dovecot
mailing list