Hi everyone,
I finally got motivated to move away from crypt passwords since on my system
that limits the passwords to 8 characters. What I settled on was SHA, since it
seems to be supported everywhere I need it. Unfortunately, I can't get it to
work anywhere and I can't tell why.
I store my account data in MySQL. I changed the contents of my encrypted
password field (that was working 100% with crypt passwords) to look like this:
{SHA}9afab6adfc0ec3d458fa314ddfd9b764e963144f
To do that, I used MySQL's SHA (or SHA1) function in an update query like this:
.... CONCAT('{SHA}', SHA('password')) ....
AFAIK, Courier authlib takes it from there, using the fact that it starts with
"{SHA}" to know what to do with it. Unfortunately, it does not seem to think
the passwords match up (to test, I just logged in to IMAP from the command line
and issued a login request):
Oct 29 01:43:44 mail imapd: Connection, ip=[::ffff:127.0.0.1]
Oct 29 01:43:44 mail authdaemond: received auth request, service=imap,
authtype=login
Oct 29 01:43:44 mail authdaemond: authmysql: trying this module
Oct 29 01:43:44 mail authdaemond: authmysqllib: connected. Versions: header
50045, client 50045, server 50045
Oct 29 01:43:44 mail authdaemond: SQL query: SELECT email, password, '', uid,
gid, home, maildir, quota, realname, '' FROM accounts WHERE email =
CONCAT('user', '@', 'example.org') AND enabled = 1
Oct 29 01:43:44 mail authdaemond: supplied password 'password' does not match
encrypted password '{SHA}9afab6adfc0ec3d458fa314ddfd9b764e963144f'
Oct 29 01:43:44 mail authdaemond: authmysql: REJECT - try next module
Oct 29 01:43:44 mail authdaemond: authpipe: trying this module
Oct 29 01:43:44 mail authdaemond: authpipe: REJECT - try next module
Oct 29 01:43:44 mail authdaemond: FAIL, all modules rejected
Oct 29 01:43:44 mail imapd: LOGIN FAILED, [EMAIL PROTECTED],
ip=[::ffff:127.0.0.1]
Oct 29 01:43:49 mail imapd: Disconnected, ip=[::ffff:127.0.0.1], time=5
For laughs, I tried it without the leading "{SHA}", but no dice. It feels
almost like the MySQL SHA function didn't create the right hash, but I tested
with PHP's sha1() function and it gives me the same hash code. Again, this all
works great if I remove the "{SHA}" and go back to using MySQL ENCTYPT()
function (which uses my system's crypt()).
I was thinking MySQL was the problem, because I also have the exact same
rejection from pam-mysql, which I use for SASL auth. I changed it to use
crypt=4 in my /etc/pam.d/smtp file, and no matter what I try for the password
field, it won't work. So I must be doing something wrong.
If anyone successfully uses SHA with Courier *OR* Pam-mysql, can you give me a
hint for what I am doing wrong? I can't for the life of me tell....
TIA!!!
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Courier-imap mailing list
Courier-imap@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
