New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support more password schemes from passlib #1662
Labels
type/enhancement
Enhances existing functionality
Comments
mlow
added a commit
to mlow/Mailu
that referenced
this issue
Dec 6, 2020
The SSHA256 and SSHA512 schemes are "pre tagged", i.e. they have `{SSHA256}` or `{SSHA512}` already prepended out of hashlib, so the check_password and set_password logic is modified to support this. passlib was updated to 1.7.4 to add support for `ldap_salted_sha256` and `ldap_salted_sha512`. This addition is particuilarly useful for users coming from other mail systems (for example, iRedMail). Closes Mailu#1662
1 task
mlow
added a commit
to mlow/Mailu
that referenced
this issue
Dec 6, 2020
The SSHA256 and SSHA512 schemes are "pre tagged", i.e. they have `{SSHA256}` or `{SSHA512}` already prepended out of hashlib, so the check_password and set_password logic is modified to support this. passlib was updated to 1.7.4 to add support for `ldap_salted_sha256` and `ldap_salted_sha512`. This addition is particuilarly useful for users coming from other mail systems (for example, iRedMail). Closes Mailu#1662
mlow
added a commit
to mlow/Mailu
that referenced
this issue
Dec 6, 2020
The SSHA256 and SSHA512 schemes are "pre tagged", i.e. they have `{SSHA256}` or `{SSHA512}` already prepended out of hashlib, so the check_password and set_password logic is modified to support this. passlib was updated to 1.7.4 to add support for `ldap_salted_sha256` and `ldap_salted_sha512`. This addition is particuilarly useful for users coming from other mail systems (for example, iRedMail). Closes Mailu#1662
I've added a comment on #1194 (comment) regarding introducing new DoS vectors. It may be worth documenting that aspect when new hash schemes are added. |
This was referenced Feb 2, 2021
I'm closing this PR. It is not required anymore with the changes from nextgens PR1753.. |
bors bot
added a commit
that referenced
this issue
Mar 8, 2021
1753: Better password storage r=mergify[bot] a=nextgens ## What type of PR? Enhancement: optimization of the logic to speedup authentication requests, support the import of most hashes passlib supports. ## What does this PR do? - it changes the default password cold-storage format to sha256+bcrypt - it enhances the logic to ensure that no CPU cycles are wasted when valid credentials are found - it fixes token authentication on /webdav/ - it lowers the number of rounds used for token storage (on the basis that they are high-entropy: not bruteforceable and speed matters) - it introduces a new setting to set the number of rounds used by the password hashing function (CREDENTIAL_ROUNDS). The setting can be adjusted as required and existing hashes will be migrated to the new cost-factor. - it updates the version of passlib in use and enables all supported hash types (that will be converted to the current settings on first use) - it removes the PASSWORD_SCHEME setting ### Related issue(s) - close #1194 - close #1662 - close #1706 ## Prerequistes Before we can consider review and merge, please make sure the following list is done and checked. If an entry in not applicable, you can check it or remove it from the list. - [x] In case of feature or enhancement: documentation updated accordingly - [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file. Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
bors bot
added a commit
that referenced
this issue
Mar 8, 2021
1753: Better password storage r=mergify[bot] a=nextgens ## What type of PR? Enhancement: optimization of the logic to speedup authentication requests, support the import of most hashes passlib supports. ## What does this PR do? - it changes the default password cold-storage format to sha256+bcrypt - it enhances the logic to ensure that no CPU cycles are wasted when valid credentials are found - it fixes token authentication on /webdav/ - it lowers the number of rounds used for token storage (on the basis that they are high-entropy: not bruteforceable and speed matters) - it introduces a new setting to set the number of rounds used by the password hashing function (CREDENTIAL_ROUNDS). The setting can be adjusted as required and existing hashes will be migrated to the new cost-factor. - it updates the version of passlib in use and enables all supported hash types (that will be converted to the current settings on first use) - it removes the PASSWORD_SCHEME setting ### Related issue(s) - close #1194 - close #1662 - close #1706 ## Prerequistes Before we can consider review and merge, please make sure the following list is done and checked. If an entry in not applicable, you can check it or remove it from the list. - [x] In case of feature or enhancement: documentation updated accordingly - [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file. Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
bors bot
added a commit
that referenced
this issue
Mar 9, 2021
1753: Better password storage r=nextgens a=nextgens ## What type of PR? Enhancement: optimization of the logic to speedup authentication requests, support the import of most hashes passlib supports. ## What does this PR do? - it changes the default password cold-storage format to sha256+bcrypt - it enhances the logic to ensure that no CPU cycles are wasted when valid credentials are found - it fixes token authentication on /webdav/ - it lowers the number of rounds used for token storage (on the basis that they are high-entropy: not bruteforceable and speed matters) - it introduces a new setting to set the number of rounds used by the password hashing function (CREDENTIAL_ROUNDS). The setting can be adjusted as required and existing hashes will be migrated to the new cost-factor. - it updates the version of passlib in use and enables all supported hash types (that will be converted to the current settings on first use) - it removes the PASSWORD_SCHEME setting ### Related issue(s) - close #1194 - close #1662 - close #1706 ## Prerequistes Before we can consider review and merge, please make sure the following list is done and checked. If an entry in not applicable, you can check it or remove it from the list. - [x] In case of feature or enhancement: documentation updated accordingly - [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file. Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Before you open your issue
Mailu
is made by volunteers in their free time — be conscise, civil and accept that delays can occur.Description
Mailu uses the passlib python library for handling password hashes. The password hashes that can be used must be passed to the constructor of passlib. These are currently the supported hashes.
In the mailu chat someone asked for support SSHA512 (salted ssh512). It would be nice if we could support more hashing algorithms. This enables users to export/import users from other systems that use these hash algorithms.
What must happen for implementing this enhancement request?
The proper solution is probably to make it possible to configure the scheme_dict via the Mailu.env file. This way you can still add support for other hashes via the mailu.env file.
The text was updated successfully, but these errors were encountered: