Eric,

I am missing something:  what is the utility of keeping the plaintext
passwords for any of the accounts if QMT is 100% functional without them?

I cringe when I use WebMin to click to view the vpopmail database and
literally scroll through cleartext passwords.


-Andy



On 10/3/2018 2:36 PM, Eric Broch wrote:
> I guess that a couple of lines could be add to the script below to test
> if the clear text password with the extracted salt match the hashed
> password (see below). If so skip the user/domain entry. If not set clear
> text password to 'null'
> 
> if [ $hashedpasswd != `openssl passwd -1 -salt $usersalt $userpasswd` ];
> then
> 
> clear entry
> 
> fi
> 
> -EricB
> 
> 
> On 10/3/2018 3:48 PM, Eric Broch wrote:
>> In the mean time, I've written a script to null the clear text pwd
>> field, look at it, TEST IT, add suggestions, and use at your own risk:
>>
>> <clearpasswd>
>>
>> IFS=$'\n'
>> pass=`cat pfile`
>> for domain in `echo "show tables" | mysql -u root -p$pass vpopmail |
>> grep -v dir_control | grep -v Tables_in_vpopmail | grep -v valias |
>> grep -v lastauth`
>> do
>>     for user in `echo "select pw_name from $domain" | mysql -u root
>> -p$pass vpopmail | grep -v pw_name`
>>     do
>>        clear=`echo "select pw_clear_passwd from $domain where
>> pw_name='$user'" | mysql -u root -p$pass vpopmail | grep -v
>> pw_clear_passwd`
>>        echo "$user:$domain:($clear)"
>>        # update $domain set pw_clear_passwd='' where pw_name ='$user';
>>        clear=`echo "select pw_clear_passwd from $domain where
>> pw_name='$user'" | mysql -u root -p$pass vpopmail | grep -v
>> pw_clear_passwd`
>>        echo "$user:$domain:($clear)"
>>        echo
>> "--------------------------------------------------------------------------"
>>
>>     done
>> done
>>
>> </clearpasswd>
>>
>>
>> Eric
>>
>>
>> On 10/3/2018 3:30 PM, Dan McAllister - QMT DNS wrote:
>>> One more item -- I agree that the password hashing algorithm could
>>> stand to be updated -- and there is NOT a backward compatibility
>>> issue with updating our algorithms because the mechanism is CODED to
>>> show which algorithm is used (the $1$ currently there, maybe a $6$ in
>>> the future?)
>>>
>>> However, we would need to check with the qmail code, as well as
>>> DoveCot, to determine if they can support/recognize those other
>>> algorithms.
>>>
>>> Dan
>>>
>>> -----Original Message-----
>>> From: Eric Broch <ebr...@whitehorsetc.com>
>>> Sent: Wednesday, October 3, 2018 4:34 PM
>>> To: qmailtoaster-list@qmailtoaster.com
>>> Subject: Re: [qmailtoaster] Passwords after backup/restore
>>>
>>>> The newer DoveCot IMAP server "appears" to be authenticating against
>>>> the cleartext password
>>> It does. I checked the code.
>>>
>>> I've submitted a question to the Dovecot mailing list concerning
>>> this, that is, whether there is a configuration option to authorize
>>> against the hash, or whether there is an option at compile or link
>>> time to accomplish the same. It'd be nice to have a configuration
>>> option, IMHO, that way no re-compilation would be necessary.
>>>
>>
> 

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to