Re: [SOGo] Authentication using SQL - "SOGoUserSources" configuration / password schemes
Hallo again, while reviewing my Postfixadmin configuration, I noticed that I did not use ssha512 as the password scheme for Dovecot. Instead I used: [/etc/postfixadmin/config.inc.php] $CONF['encrypt'] = 'dovecot:SHA512-CRYPT'; This (SHA512-CRYPT) is the 2nd strongest scheme supported by Dovecot. The strongest is BLF-CRYPT. This is not the same scheme ... my fault. I suppose SOGo 2.1.1.a doesn't support them? 1.) I think I have to choose another password scheme for now. Right? While the salt in ssha512 is good against rainbow-table based password attacks, the -CRYPT variants additionally improve the strength against brute-force and dictionary attacks by slowing the hashing down. According to Vidar’s Blog-post about - Implementation of SHA512-crypt vs MD5- crypt http://www.vidarholen.net/contents/blog/?p=33 - the -CRYPT variants maybe even need additional parameters for the number of rounds. ### Like md5-crypt, it can be divided into three phases. Initialization, loop, and finalization. Generate a simple sha512 hash based on the salt and password Loop 5000 times, calculating a new sha512 hash based on the previous hash concatenated with alternatingly the hash of the password and the salt. Additionally, sha512-crypt allows you to specify a custom number of rounds, from 1000 to 9 Use a special base64 encoding on the final hash to create the password hash string ### I suggest, that SOGo implements them like Postfixadmin does: Postfixadmin invokes Dovecots password utility: "/usr/bin/doveadm pw" and calls the schemes e.g. 'dovecot:SHA512-CRYPT'; [/etc/postfixadmin/config.inc.php] // If you use the dovecot encryption method: where is the dovecotpw binary located? $CONF['dovecotpw'] = "/usr/bin/doveadm pw"; 2.) Any opinions? Kind regards T. B. -- users@sogo.nu https://inverse.ca/sogo/lists
[SOGo] Authentication using SQL - "SOGoUserSources" configuration / password schemes
Hello everyone, I need some help from someone who is familiar with authentication using SQL - "SOGoUserSources" configuration / password schemes. My problem: I can't log in. (SOGo Version is 2.1.1a) Error in logfile: Dec 06 02:39:49 sogod [7071]: SOGoRootPage Login from '192.168.192.2' for user 'testu...@testdomain.de' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0 Passwords are created by Postfixadmin for Dovecot. Password scheme: ssha512 (salted SHA 512). The MySQL database view for SOGo (sogo_auth) contains following for c_password: $6$uMCefpUPeiz7ZVqU $wHIHPpqcsK0xOdihjXLnE8O7bgJa61Bpp9GVIEvULNPVJ7PABdjZAxY.7H0wgDF.jjDNqnN8qiPsO5qKUDdmm/ So, now i'm a bit confused by the SOGo documentation: http://www.sogo.nu/files/docs/SOGo%20Installation%20Guide.pdf Chapter 5 - Page 29, 30 - Authentication using SQL: SOGoUserSources > viewURL > c_password c_password -->: password of the user, plain text, crypt, md5 or sha encoded Is it still true that just these 4 schemes work? According to the "userPasswordAlgorithm" description plenty more seem possible - or is this something else? Possible values are: none, plain, crypt, md5, md5-crypt, smd5, cram-md5, ldap- md5, and sha, sha256, sha512 and its ssha (e.g. ssha or ssha256) variants. Passwords can have the scheme prepended in the form {scheme}encryptedPass. "userPasswordAlgorithm" is ssha512 in my configuration. According to: http://www.sogo.nu/bugs/bug_relationship_graph.php?bug_id=1608&graph=relation SOGO supports the other ecryption formats since Version 1.3.16 If this is true, the description of "c_password -->: password of the user, plain text, crypt, md5 or sha encoded" should get adjusted. Summarized, my questions are: Is it still true that just 4 schemes work for c_password? What could be the reason for the login error? What is the best practice to debug the error? Kind regards T.B. -- users@sogo.nu https://inverse.ca/sogo/lists