Problem description: Authentication is successful as long as the
password provided starts with and contains the entire encrypted
password, but additional characters are allowed
Example: Password is 'HornsbyIT'
HornsbyIT - success
HornsbyITtest - success
testHornsbyIT - fail
Hornsby - fail
* The operating system and version you are running
CentOS Linux version 2.6.18-028stab062.3 (r...@rhel5-64-build) (gcc
version 4.1.2 20070626 (Red Hat 4.1.2-14)) #1 SMP Thu Mar 26 14:46:38 MSK 2009
* The versions of packages you have installed
courier-authlib 0.62.2
* The ./configure command line you gave to build it
./configure \
--prefix=/usr/local/courier-authlib \
--without-ipv6 \
--disable-root-check \
--without-authpwd \
--without-authshadow \
--without-authuserdb \
--without-authpgsql \
--without-authldap \
--without-authvchkpw \
--without-authcustom \
--without-authpam \
--without-authpipe \
--with-authmysql \
--with-authdaemon \
--with-redhat
* The versions of any other relevant software which you are linking
against, e.g. openldap, mysql, pgsql
mysql 5.0.45-log
* The transcript of the 'telnet' session you used to manually test
server connections
# ./authtest -s pop3 [email protected] HornsbyITExtraTextIsIgnored
Authentication succeeded.
Authenticated: [email protected] (uid 1001, gid 1001)
Home Directory: /var/vmail
Maildir: hornsbyit.net.au/test/Maildir/
Quota: 20971520S
Encrypted Password: qGu7ggIwKRmU.
Cleartext Password: HornsbyITExtraTextIsIgnored
Options:
disableimap=0,disablepop3=0,disablewebmail=0,wbnochangepass=1,wbusexsender=1,disableshared=1,wbnodsn=1
* The corresponding debug output which was generated for that session
Jul 10 12:36:16 bear authdaemond: received auth request,
service=pop3, authtype=login
Jul 10 12:36:16 bear authdaemond: authmysql: trying this module
Jul 10 12:36:16 bear authdaemond: authmysqllib: connected. Versions:
header 50045, client 50045, server 50045
Jul 10 12:36:16 bear authdaemond: SQL query: SELECT
concat(`mailbox`,'@',`domain`), password, clear_password, '1001',
'1001', '/var/vmail', CONCAT(maildir,"Maildir/"),
CONCAT(mailquota*1024*1024,"S"), name,
CONCAT("disableimap=",disableimap,",disablepop3=",disablepop3,",disablewebmail=",disablewebmail)
FROM mailbox WHERE concat(`mailbox`,'@',`domain`) =
'[email protected]' AND (active='1')
Jul 10 12:36:16 bear authdaemond: password matches successfully
Jul 10 12:36:16 bear authdaemond: authmysql: sysusername=<null>,
sysuserid=1001, sysgroupid=1001, homedir=/var/vmail,
[email protected], fullname=<null>,
maildir=hornsbyit.net.au/test/Maildir/, quota=20971520S,
options=disableimap=0,disablepop3=0,disablewebmail=0
Jul 10 12:36:16 bear authdaemond: authmysql: clearpasswd=ClearPass,
passwd=qGu7ggIwKRmU.
Jul 10 12:36:16 bear authdaemond: Authenticated: sysusername=<null>,
sysuserid=1001, sysgroupid=1001, homedir=/var/vmail,
[email protected], fullname=<null>,
maildir=hornsbyit.net.au/test/Maildir/, quota=20971520S,
options=disableimap=0,disablepop3=0,disablewebmail=0
Jul 10 12:36:16 bear authdaemond: Authenticated:
clearpasswd=HornsbyITExtraTextIsIgnored, passwd=qGu7ggIwKRmU.
* The contents of relevant configuration files, e.g. authldaprc,
authmysqlrc, imapd, pop3d
#authmysqlrc
MYSQL_SERVER localhost
MYSQL_USERNAME removed-for-security
MYSQL_PASSWORD removed-for-security
MYSQL_SOCKET /var/lib/mysql/mysql.sock
MYSQL_PORT 0
MYSQL_OPT 0
MYSQL_DATABASE postfix
MYSQL_USER_TABLE mailbox
MYSQL_CRYPT_PWFIELD password
MYSQL_CLEAR_PWFIELD clear_password
MYSQL_UID_FIELD '1001'
MYSQL_GID_FIELD '1001'
MYSQL_LOGIN_FIELD concat(`mailbox`,'@',`domain`)
MYSQL_HOME_FIELD '/var/vmail'
MYSQL_NAME_FIELD name
MYSQL_MAILDIR_FIELD CONCAT(maildir,"Maildir/")
MYSQL_QUOTA_FIELD CONCAT(mailquota*1024*1024,"S")
MYSQL_AUXOPTIONS_FIELD
CONCAT("disableimap=",disableimap,",disablepop3=",disablepop3,",disablewebmail=",disablewebmail)
MYSQL_WHERE_CLAUSE active='1'
#authdaemonrc
authmodulelist="authmysql"
authmodulelistorig="authmysql"
daemons=5
authdaemonvar=/usr/local/courier-authlib/var/spool/authdaemon
DEBUG_LOGIN=1DEFAULTOPTIONS="wbnochangepass=1,wbusexsender=1,disableshared=1,wbnodsn=1"
LOGGEROPTS=""
* A copy of the database entry you are trying to authenticate
against: e.g. the line from your userdb file, an LDAP entry, a row
from your mysql table, the line in /etc/password, etc.
+--------------------------------+---------------+----------------+
| concat(`mailbox`,'@',`domain`) | password | clear_password |
+--------------------------------+---------------+----------------+
| [email protected] | qGu7ggIwKRmU. | ClearPass |
+--------------------------------+---------------+----------------+
Note: the password hash was derived via <?php
base64_encode(mhash(MHASH_SHA256, 'HornsbyIT')); ?>
------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge
This is your chance to win up to $100,000 in prizes! For a limited time,
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize
details at: http://p.sf.net/sfu/Challenge
_______________________________________________
courier-users mailing list
[email protected]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
