Fix for SSHA Dovecot Scheme Problems [Issuse #20]#53
Fix for SSHA Dovecot Scheme Problems [Issuse #20]#53vogan wants to merge 1 commit intoopensolutions:masterfrom
Conversation
Updated Dovecot.php to provide a generate and check password function and implemented support for the SSHA* algorithms of Dovecot. For those 3 algos, no shell access is required, the others fail back. Mailbox.php provides a function to check a password. For dovecote SHA-schemes, the new check_password Function in Dovecot.php is used. Others are handled as before. AuthController relies on the new check function located in the Mailbox.php
|
Hello, I've replaced all three files, but user still can't update his password (using SHA512-CRYPT). Same error: "Invalid username or password... Using other password schemes f.e. crypt or md5.crypt, everything works ok. |
|
As mentioned in my Commit Message only the password schemes SSHA* are supported. Sry, your scheme is not implemented and therefore the code fails back to the original workflow. You could implement SHA512-CRYPT for yourself or consider to switch to SSHA512, but SSHA512 is less secure compared to SHA512-CRYPT, when it comes to hashing. Using SSHA512 you can restrict PHP not to be allowed to access data other than the installation directory and not to be able to issue shell commands, which gives you another layer of security for your PHP setup. It's up to you - best thing would be an implementation of SHA512-CRYPT and having both benefits. |
|
Thank You very much for explanation. Yes, I can confirm, after replacing these files, users can update their passwords. I think SSHA512 is quite secure to use. |
|
Dovecot password hashing is part of the core ViMbAdmin 3 now. |
|
barryo, great tool, I just installed it to test it. I am having this issue running V3.0.3. Users cannot change their password from the "Mailbox Password Change" page. I am using "dovecot:SSHA512". When I compare the source against this patch it appears to be missing and I am not sure how to apply it as some of the files don't even seem to exist (models directory). Please advise. Thank you. |
|
I looked into this a bit more. Is all of this code necessary (perhaps I am missing something obvious)? It seems the code could be easily modified to support SHA512-CRYPT, etc., basically, the -t option needs to be passed to doveadm when verifying that the old password matches. This can be tested easily by generating a password: /usr/bin/doveadm pw -p k3nd1ll@1 -s SHA512-CRYPT And then verifying it: |
|
The code in this pull request is out of date with V3. But I've fixed it in 1b74a2d. Make sure you also do a |
|
Awesome! Thanks for the quick fix. To clarify for other users, the new code (in V3.0.4) should resolve all Dovecot auth issues (SHA512-CRYPT, SSHA512, etc.) |
3 participants
Another fix for Issue #20, which doesn't allow password change for users, when the secure password hashing scheme SSHA512 (and others) is used.
I tested this fix in my setup with SSHA512. Please review this fix and test it with other schemes. Maybe other Dovecot Scheme could be implemented as this should be very easy. As I lack the time to do and test everything, I just implemented the parts I use in my setups.