Hi. Am Samstag, 31. März 2007 schrieb James Homuth: > >This seems to be hexadecimal encoded (did you use PASSWORD() from a > >rather old > >mysql version?). > mysql 5.0 over here.
Uh?
Which hasing function is this?
MySQL5 normally generates somthing like this for password:
mysql> select PASSWORD('foo');
+-------------------------------------------+
| PASSWORD('foo') |
+-------------------------------------------+
| *F3A2A51A9B0F2BE2468926B4132313728C250DBF |
+-------------------------------------------+
But this is out of scope now. ;-)
> >You should use Salted-MD5 as used by the UNIX-Shadow-Passwords (looking
> > like $1$foobar$...).
> Will that mesh with the cryptpw field in authmysqlrc or will I have
> to switch to clearpw?
No! cryptpw is just fine.
clearpw is ONLY needed when you have to provide CRAM authentication methods.
in that case, it must really hold the CLEAR password. That's why one doesn't
want his provider to offer CRAM. ;-)
> >One way to get them is to use "userdbpw -md5" on the command line.
> I'm trying to eliminate the need for system accounts just for
> checking mail, because I'm the only person who's actually going to
> *need* a system account.
Wait...
Your users should not have access to the MySQL-database directly, I think. So
there must be any frontend for them or for you to create accounts.
This frontend has to be changed to use the correkt hashing.
No need for shell accounts to users!
> If I was creating my own solution for it, that's definitely what I'd
> do, now that I'm aware mysql's encription's pretty much useless here.
I did NOT test it, but MySQL's ENCRYPT() gives me this:
mysql> select ENCRYPT('foo');
+----------------+
| ENCRYPT('foo') |
+----------------+
| wJrLk2nXxP1XE |
+----------------+
This looks like the unix-crypt() that is also understood by courier. For
testing purposes, this may be enough.
For production use, I would recommand switching to MD5.
> There's my problem. I created the user here just for testing's sake
> using phpmyadmin. Again, this was when I was thinking mysql's
> encription functions would actually accomplish something. Looking for
> alternatives I go.
For testing purposes, you can use "userdbpw -md5" to create a password hash
and put this as a regular string in your database.
cu, Bernd
--
Es vergeht kein Tag an dem ich nicht alles wieder infrage stelle.
- André Gide (frz. Schriftsteller)
pgprErBzMs8sy.pgp
Description: PGP signature
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
