At 10:42 AM 3/31/2007, you wrote:
>Hi.
>
>Am Samstag, 31. März 2007 schrieb James Homuth:
> > >This seems to be hexadecimal encoded (did you use PASSWORD() from a
> > >rather old
> > >mysql version?).
> > mysql 5.0 over here.
>
>Uh?
>Which hasing function is this?
>
>MySQL5 normally generates somthing like this for password:
>
>mysql> select PASSWORD('foo');
>+-------------------------------------------+
>| PASSWORD('foo') |
>+-------------------------------------------+
>| *F3A2A51A9B0F2BE2468926B4132313728C250DBF |
>+-------------------------------------------+
Well, on this system, mysql's password function
generates 67fada7e716dd205. At least, when I do
it through phpmyadmin. Like I said I hadn't gone
too deep into configuring this that and the other
piece of software yet, since I'm just trying to
make courier work on its own before I go throwing
more into it that could potentially break.
>But this is out of scope now. ;-)
>
>
> > >You should use Salted-MD5 as used by the UNIX-Shadow-Passwords (looking
> > > like $1$foobar$...).
Well, userdbpw and mysql's md5 function disagree,
so userdbpw's interpretation of it it is.
>Wait...
>
>Your users should not have access to the MySQL-database directly, I think.
They don't. And after I make sure nothing else is
going to fall over, I don't intend to either.
>So there must be any frontend for them or for you to create accounts.
Right now, I create accounts either by hand or
through phpmyadmin. Because there's only one
account on the server right now, and it's a test
user, so if I horribly break something, I don't
lose anything. And, I might actually learn something from it.
>This frontend has to be changed to use the correkt hashing.
I agree, and once I get courier working, I'll go finding one.
>No need for shell accounts to users!
>
>Ah, we've both gone and misunderstood one
>another. I'd originally thought the userdbpw
>command relied on system accounts. Meaning, when
>you were talking about the unix shadow
>passwords, I thought they were updated by that
>program. Which would have defeated the purpose of going the mysql route.
> > If I was creating my own solution for it, that's definitely what I'd
> > do, now that I'm aware mysql's encription's pretty much useless here.
>
>I did NOT test it, but MySQL's ENCRYPT() gives me this:
>
>mysql> select ENCRYPT('foo');
>+----------------+
>| ENCRYPT('foo') |
>+----------------+
>| wJrLk2nXxP1XE |
>+----------------+
>
>This looks like the unix-crypt() that is also understood by courier. For
>testing purposes, this may be enough.
My use of the encript function gave me what you
saw in the query snip of earlier. Granted I
didn't do it by hand, but rather through
phpmyadmin, but if it's using the exact same
functions I don't see what'd change.
>For production use, I would recommand switching to MD5.
And I plan to, now that I know where the problem is.
> > There's my problem. I created the user here just for testing's sake
> > using phpmyadmin. Again, this was when I was thinking mysql's
> > encription functions would actually accomplish something. Looking for
> > alternatives I go.
>
>For testing purposes, you can use "userdbpw -md5" to create a password hash
>and put this as a regular string in your database.
I think I'll do that. At least for the moment,
I'll only have to create about 2 acounts to start
off with when I actually take this to production,
so it's a solution while I research. Thanks a lot for the pointers.
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
