Re: [SOGo] Authentication using SQL - "SOGoUserSources" configuration / password schemes
Hallo again, while reviewing my Postfixadmin configuration, I noticed that I did not use ssha512 as the password scheme for Dovecot. Instead I used: [/etc/postfixadmin/config.inc.php] $CONF['encrypt'] = 'dovecot:SHA512-CRYPT'; This (SHA512-CRYPT) is the 2nd strongest scheme supported by Dovecot. The strongest is BLF-CRYPT. This is not the same scheme ... my fault. I suppose SOGo 2.1.1.a doesn't support them? 1.) I think I have to choose another password scheme for now. Right? While the salt in ssha512 is good against rainbow-table based password attacks, the -CRYPT variants additionally improve the strength against brute-force and dictionary attacks by slowing the hashing down. According to Vidar’s Blog-post about - Implementation of SHA512-crypt vs MD5- crypt http://www.vidarholen.net/contents/blog/?p=33 - the -CRYPT variants maybe even need additional parameters for the number of rounds. ### Like md5-crypt, it can be divided into three phases. Initialization, loop, and finalization. Generate a simple sha512 hash based on the salt and password Loop 5000 times, calculating a new sha512 hash based on the previous hash concatenated with alternatingly the hash of the password and the salt. Additionally, sha512-crypt allows you to specify a custom number of rounds, from 1000 to 9 Use a special base64 encoding on the final hash to create the password hash string ### I suggest, that SOGo implements them like Postfixadmin does: Postfixadmin invokes Dovecots password utility: "/usr/bin/doveadm pw" and calls the schemes e.g. 'dovecot:SHA512-CRYPT'; [/etc/postfixadmin/config.inc.php] // If you use the dovecot encryption method: where is the dovecotpw binary located? $CONF['dovecotpw'] = "/usr/bin/doveadm pw"; 2.) Any opinions? Kind regards T. B. -- users@sogo.nu https://inverse.ca/sogo/lists
[SOGo] Authentication using SQL - "SOGoUserSources" configuration / password schemes
Hello everyone,
I need some help from someone who is familiar with authentication using SQL -
"SOGoUserSources" configuration / password schemes.
My problem: I can't log in. (SOGo Version is 2.1.1a) Error in logfile:
Dec 06 02:39:49 sogod [7071]: SOGoRootPage Login from '192.168.192.2' for user
'testu...@testdomain.de' might not have worked - password policy: 65535
grace: -1 expire: -1 bound: 0
Passwords are created by Postfixadmin for Dovecot.
Password scheme: ssha512 (salted SHA 512).
The MySQL database view for SOGo (sogo_auth) contains following for
c_password:
$6$uMCefpUPeiz7ZVqU
$wHIHPpqcsK0xOdihjXLnE8O7bgJa61Bpp9GVIEvULNPVJ7PABdjZAxY.7H0wgDF.jjDNqnN8qiPsO5qKUDdmm/
So, now i'm a bit confused by the SOGo documentation:
http://www.sogo.nu/files/docs/SOGo%20Installation%20Guide.pdf
Chapter 5 - Page 29, 30 - Authentication using SQL:
SOGoUserSources > viewURL > c_password
c_password -->: password of the user, plain text, crypt, md5 or sha encoded
Is it still true that just these 4 schemes work?
According to the "userPasswordAlgorithm" description plenty more seem possible
- or is this something else?
Possible values are: none, plain, crypt, md5, md5-crypt, smd5, cram-md5, ldap-
md5, and sha, sha256, sha512 and
its ssha (e.g. ssha or ssha256) variants. Passwords can have the scheme
prepended in the form {scheme}encryptedPass.
"userPasswordAlgorithm" is ssha512 in my configuration.
According to:
http://www.sogo.nu/bugs/bug_relationship_graph.php?bug_id=1608&graph=relation
SOGO supports the other ecryption formats since Version 1.3.16
If this is true, the description of "c_password -->: password of the user,
plain text, crypt, md5 or sha encoded"
should get adjusted.
Summarized, my questions are:
Is it still true that just 4 schemes work for c_password?
What could be the reason for the login error?
What is the best practice to debug the error?
Kind regards
T.B.
--
users@sogo.nu
https://inverse.ca/sogo/lists
