Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v3.2.4: setup_password encryption - linux command #538

Closed
volker-raschek opened this issue Sep 3, 2021 · 4 comments
Closed

v3.2.4: setup_password encryption - linux command #538

volker-raschek opened this issue Sep 3, 2021 · 4 comments

Comments

@volker-raschek
Copy link

Hello all,
I found out that $CONF['setup_password'] contains a bcrypt hash, when the user generate the setup_password via the GUI in the current version. How is the hash for the password generated in version 3.2.4?

I am looking for the appropriate linux command:

$ # for current master branch
$ htpasswd -bnBC 10 "" "mySecretPassword" | tr -d ':\n'
$2y$10$Jjou1a19C63P1uIiaYziyOJqVUz7.ziwKA6ZUkrMsgEEqgHchJEcS

$ # how it should work für version 3.2.4?
$ ...

Volker
@DavidGoodwin
Copy link
Member

DavidGoodwin commented Sep 4, 2021
edited
Loading

older variants of Postfixadmin ( e.g. 3.2.4 ) use sha1 ... specifically :

<salt>:sha1(<salt>:<password>)

see also https://github.com/postfixadmin/postfixadmin/blob/postfixadmin_3.2/public/setup.php#L445

@volker-raschek
Copy link
Author

Hi @DavidGoodwin,
tanks for your help.

I used the following linux commands for a test environment to generate the setup_password, when I use the plain text password to create a new admin account I receive an error, that the setup_password is incorret. Do you have an Idea why I get this error?

linux commands

$ POSTFIXADMIN_SETUP_PASSWORD=mySecretPassword123!
$ SALT=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 48 ; echo '')
$ HASHED_PASSWORD=$(echo "${SALT}:${POSTFIXADMIN_SETUP_PASSWORD}" | sha1sum | cut -d " " --fields=1)
$ POSTFIXADMIN_SETUP_PASSWORD="${SALT}:${HASHED_PASSWORD}"
$ echo $POSTFIXADMIN_SETUP_PASSWORD
PUn0er242KapVSe9SXSoXmlgmCk2Ehu1nREcB09BPJBEECaq:dc3cfc0b2cee2037afda894496f99173b95b732e

error

Screenshot 2021-09-05 at 20-19-02 Postfix Admin - postfixadmin cryptic systems

config.local.php

<?php
  $CONF['configured'] = true;
  $CONF['encrypt'] = 'sha512.b64';
  $CONF['fetchmail'] = 'YES';
  $CONF['setup_password'] = 'PUn0er242KapVSe9SXSoXmlgmCk2Ehu1nREcB09BPJBEECaq:dc3cfc0b2cee2037afda894496f99173b95b732e';
 ...
?>

@DavidGoodwin
Copy link
Member

the salt is a sha1 value ... and i think that's always lower cased and hexadecimal (presumably) so couldn't contain letters like P

@DavidGoodwin
Copy link
Member

Sorry, I should have been a bit more explicit about how the old setup_password was constructed .... it's the equivalent of :

php -r "echo sha1('salt') . ':' . sha1('salt' . ':' . 'secretpassword');

e.g.

b295d117135a9763da282e7dae73a5ca7d3e5b11:a67905c589bac366772d10f4f5598d197c7d0893

And verification was a case of doing :

list($salt, $salthash) = explode(':', $hash, 2);
if(sha1($salt . ':' . 'plain text') == $salthash) {
    // looks legit.
}

see also :

postfixadmin/public/setup.php

Line 444 in 23f4b51

function encrypt_setup_password($password, $salt) {

@volker-raschek volker-raschek mentioned this issue Sep 27, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DavidGoodwin @volker-raschek