At 12:06 PM 3/31/2007, you wrote:
>At 10:42 AM 3/31/2007, you wrote:
> >Hi.
> >
> >Am Samstag, 31. März 2007 schrieb James Homuth:
> > > >This seems to be hexadecimal encoded (did you use PASSWORD() from a
> > > >rather old
> > > >mysql version?).
> > > mysql 5.0 over here.
> >
> >Uh?
> >Which hasing function is this?
> >
> >MySQL5 normally generates somthing like this for password:
> >
> >mysql> select PASSWORD('foo');
> >+-------------------------------------------+
> >| PASSWORD('foo') |
> >+-------------------------------------------+
> >| *F3A2A51A9B0F2BE2468926B4132313728C250DBF |
> >+-------------------------------------------+
>
>Well, on this system, mysql's password function
>generates 67fada7e716dd205. At least, when I do
>it through phpmyadmin. Like I said I hadn't gone
>too deep into configuring this that and the other
>piece of software yet, since I'm just trying to
>make courier work on its own before I go throwing
>more into it that could potentially break.
>
> >But this is out of scope now. ;-)
> >
> >
> > > >You should use Salted-MD5 as used by the UNIX-Shadow-Passwords (looking
> > > > like $1$foobar$...).
>Well, userdbpw and mysql's md5 function disagree,
>so userdbpw's interpretation of it it is.
>
> >Wait...
> >
> >Your users should not have access to the MySQL-database directly, I think.
>
>They don't. And after I make sure nothing else is
>going to fall over, I don't intend to either.
>
> >So there must be any frontend for them or for you to create accounts.
>Right now, I create accounts either by hand or
>through phpmyadmin. Because there's only one
>account on the server right now, and it's a test
>user, so if I horribly break something, I don't
>lose anything. And, I might actually learn something from it.
>
> >This frontend has to be changed to use the correkt hashing.
>I agree, and once I get courier working, I'll go finding one.
>
> >No need for shell accounts to users!
> >
> >Ah, we've both gone and misunderstood one
> >another. I'd originally thought the userdbpw
> >command relied on system accounts. Meaning, when
> >you were talking about the unix shadow
> >passwords, I thought they were updated by that
> >program. Which would have defeated the purpose of going the mysql route.
>
> > > If I was creating my own solution for it, that's definitely what I'd
> > > do, now that I'm aware mysql's encription's pretty much useless here.
> >
> >I did NOT test it, but MySQL's ENCRYPT() gives me this:
> >
> >mysql> select ENCRYPT('foo');
> >+----------------+
> >| ENCRYPT('foo') |
> >+----------------+
> >| wJrLk2nXxP1XE |
> >+----------------+
> >
> >This looks like the unix-crypt() that is also understood by courier. For
> >testing purposes, this may be enough.
>My use of the encript function gave me what you
>saw in the query snip of earlier. Granted I
>didn't do it by hand, but rather through
>phpmyadmin, but if it's using the exact same
>functions I don't see what'd change.
>
> >For production use, I would recommand switching to MD5.
>And I plan to, now that I know where the problem is.
>
> > > There's my problem. I created the user here just for testing's sake
> > > using phpmyadmin. Again, this was when I was thinking mysql's
> > > encription functions would actually accomplish something. Looking for
> > > alternatives I go.
> >
> >For testing purposes, you can use "userdbpw -md5" to create a password hash
> >and put this as a regular string in your database.
>
>I think I'll do that. At least for the moment,
>I'll only have to create about 2 acounts to start
>off with when I actually take this to production,
>so it's a solution while I research. Thanks a lot for the pointers.
>Correction. It was a solution. Until I pasted
>the userdbpw output into the database as a
>regular string and authmysql still rejected.
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
