> > > > > I finally got motivated to move away from crypt passwords since on my
>
> > >
> > > > > system that limits the passwords to 8 characters. What I settled on
> > > > > was
> > > > > SHA, since it seems to be supported everywhere I need it.
> Unfortunately,
> > > > > I can't get it to work anywhere and I can't tell why.
> > > > >
> > > > > I store my account data in MySQL. I changed the contents of my
> encrypted
> > > > password field (that was working 100% with crypt passwords) to look
> > > > like
> > this:
> > > > >
> > > > > {SHA}9afab6adfc0ec3d458fa314ddfd9b764e963144f
> > > >
> > > > This is MySQL-specific hex-encoded passwords.
> > > >
> > > > For Courier to recognize SHA passwords, they have to be base64-encoded,
> not
> > > > hex-encoded, like it's done by OpenLDAP, and other systems.
> > >
> > > Ah, I see. That kind of encoding is also what PHP does by default unless
> you
> > > ask for the raw hash in PHP5+.
> > >
> > > Does anyone know if there is any way to produce a base64-encoded SHA hash
> > using
> > > MySQL? Does anyone here use MySQL and something other than crypt
> passwords?
> > > What do others do to avoid the 8 character limit (ideally, I like SSHA or
> > > something else where a salt can be used)?
> >
> > Bump.
> >
> > Can anyone explain what they use to host passwords with more than 8
> > characters
>
> > in a MySQL-backed virtual accounts system? Most tutorials/howto guides
> > mostly
>
> > avoid the topic completely. I also use pam-mysql for sasl authentication,
> which
> > limits my choices, but it seems to support SHA passwords. Is the only way
> > to
> > make base64-encoded SHA passwords to write a PHP script (PHP 5+ only) to do
> > it
>
> > the long way or learn to do it in another language???
>
> So is everyone just using plain crypt? Does anyone care about better
> password
> security??
>
> I did a little bit more looking today and I see that pam-mysql supports
> system
> crypt WITH md5. I think (but have not tested) that this means that it takes
> an
> md5 of the password first and then crypts it. (Note that I hate to think it
> does the opposite, because if you have the 8 character limit in crypt(),
> crypting it and THEN taking the md5 won't solve that problem!) Does anyone
> know
> for sure how it works?
Oops. Be sure to disregard that last paragraph. I was just guessing based on
the name. I think the algorithm is just different altogether. It's not just
"md5-then-crypt". But the good thing is that courier automagically recognizes
this kind of password and knows what to do with it, and pam-mysql does the
right thing if you make sure to turn password encryption to 3 and enable the
md5 setting. And most everyone else knows what to do, too, like the MySQL
encrypt() command, just make sure you have an 8-character salt preceeded by $1$
and followed by (apparently optional) $
> Since feedback seems in short supply, I think I will try this some time soon,
> but the outstanding question is if Courier can be taught how to deal with
> this
> kind of "MD5CRYPT" password format???
------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you. Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
_______________________________________________
Courier-imap mailing list
Courier-imap@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
