I guess that a couple of lines could be add to the script below to test if the clear text password with the extracted salt match the hashed password (see below). If so skip the user/domain entry. If not set clear text password to 'null'

if [ $hashedpasswd != `openssl passwd -1 -salt $usersalt $userpasswd` ]; then

clear entry

fi

-EricB


On 10/3/2018 3:48 PM, Eric Broch wrote:
In the mean time, I've written a script to null the clear text pwd field, look at it, TEST IT, add suggestions, and use at your own risk:

<clearpasswd>

IFS=$'\n'
pass=`cat pfile`
for domain in `echo "show tables" | mysql -u root -p$pass vpopmail | grep -v dir_control | grep -v Tables_in_vpopmail | grep -v valias | grep -v lastauth`
do
    for user in `echo "select pw_name from $domain" | mysql -u root -p$pass vpopmail | grep -v pw_name`
    do
       clear=`echo "select pw_clear_passwd from $domain where pw_name='$user'" | mysql -u root -p$pass vpopmail | grep -v pw_clear_passwd`
       echo "$user:$domain:($clear)"
       # update $domain set pw_clear_passwd='' where pw_name ='$user';
       clear=`echo "select pw_clear_passwd from $domain where pw_name='$user'" | mysql -u root -p$pass vpopmail | grep -v pw_clear_passwd`
       echo "$user:$domain:($clear)"
       echo "--------------------------------------------------------------------------"
    done
done

</clearpasswd>


Eric


On 10/3/2018 3:30 PM, Dan McAllister - QMT DNS wrote:
One more item -- I agree that the password hashing algorithm could stand to be updated -- and there is NOT a backward compatibility issue with updating our algorithms because the mechanism is CODED to show which algorithm is used (the $1$ currently there, maybe a $6$ in the future?)

However, we would need to check with the qmail code, as well as DoveCot, to determine if they can support/recognize those other algorithms.

Dan

-----Original Message-----
From: Eric Broch <ebr...@whitehorsetc.com>
Sent: Wednesday, October 3, 2018 4:34 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] Passwords after backup/restore

The newer DoveCot IMAP server "appears" to be authenticating against
the cleartext password
It does. I checked the code.

I've submitted a question to the Dovecot mailing list concerning this, that is, whether there is a configuration option to authorize against the hash, or whether there is an option at compile or link time to accomplish the same. It'd be nice to have a configuration option, IMHO, that way no re-compilation would be necessary.



--
Eric Broch
White Horse Technical Consulting (WHTC)


---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Reply via email to