Re: vchkpw lacking authentication security
Damon Muller wrote: On Wed, Jan 17, 2001 at 02:31:17PM -0600, Ken Jones wrote: Could you post a url to the fetchmail docs on ssh tunnel? http://www.tuxedo.org/~esr/fetchmail/fetchmail-FAQ.html#K3 Or better yet post the startup line for tcpserver/vpopmail/ssh tunnel. It's a per-user thing, not a change to the way the daemon is launched (unlike ssl tunnels). What you're essentially doing is opening an encrypted SSH shell connection to the mail server, and piggybacking a port-forwarding to the pop3 port, via a port on your local machine. Thanks. I'm reading the url now. I think I confused it with ssl tunnels. Does anyone have information on how to run vpopmail with ssl tunnels? So you poll, say, port 1100 on your machine, which is forwaded over the ssh connection to 110 on the remove machine. The catch is that you need shell access to the remote machine, and I have no idea how you'd go about doing it from a windows machine. However, it certainly does work with vpopmail. I can add it to the vpopmail FAQ file. Better add the URL rather than my explanation... It's 32 degrees, I don't have air-conditioning, so I'm probably not making much sense! :) Hehe. I hear yah. I'll add the url. Ken cheers, damon -- Damon Muller http://killfilter.com GPG Key: 0xA136E829
FreeBSD Cryptography 101 - WAS - RE: vchkpw lacking authentication security
For the record on FreeBSD systems!
The use of DES/MD5 is controlled entirely by the crypt libraries. Vpopmail
doesn't control the use of DES/MD5 passwords. If you dig through the source
you can see that it sends the entire crypted password as the crypt key. ie..
crypt( 'joeblow', 'hJPcq6ffTNHuI'); for DES
crypt( 'joeblow', '$1$qKMDvF5y$bcpzwp1mNbCQuTQYvkkeX.'); for MD5
The 'key' to understanding the whole mess is in the first 2 characters of
the 'crypted' password. $1 is MD5, $2 is Blowfish (I think), the othere
type is DES. On FreeBSD the DES libraries. libdescrypt is the DES+MD5
library. The other libscrypt is the "Export Controlled" MD5 only library.
Currently I have vpopmail+mysql authenticating successfully for BOTH MD5 and
DES passwords concurrently with no hitches. This is using the libdescrypt
library.
If you want to play with the functionality of the libraries I suggest using
perl in a script like this to see the effects.
#!/usr/bin/perl
if(!$ARGV[1]) {
print "USAGE: script password salt\n";
}
print "DES Pass: ".crypt($ARGV[0],"$ARGV[1]")."\n";
print "MD5 Pass: ".crypt($ARGV[0],"\$1\$$ARGV[1]\$")."\n";
Re: vchkpw lacking authentication security
Using stunnel: stunnel -d 995 -r localhost:pop3 -p /usr/local/etc/stunnel.pem Change the last argument to the path your private key/cert PEM file. Only downside is your pop3 logs now show the logins from 127.0.0.1. Ken Jones writes: Thanks. I'm reading the url now. I think I confused it with ssl tunnels. Does anyone have information on how to run vpopmail with ssl tunnels?
vchkpw lacking authentication security
To everyone on the vchkpw mailing list: If anyone knows of a way to force vpopmail to use MD5, please let me know.
Re: vchkpw lacking authentication security
On Wed, Jan 17, 2001 at 02:31:17PM -0600, Ken Jones wrote: Could you post a url to the fetchmail docs on ssh tunnel? http://www.tuxedo.org/~esr/fetchmail/fetchmail-FAQ.html#K3 Or better yet post the startup line for tcpserver/vpopmail/ssh tunnel. It's a per-user thing, not a change to the way the daemon is launched (unlike ssl tunnels). What you're essentially doing is opening an encrypted SSH shell connection to the mail server, and piggybacking a port-forwarding to the pop3 port, via a port on your local machine. So you poll, say, port 1100 on your machine, which is forwaded over the ssh connection to 110 on the remove machine. The catch is that you need shell access to the remote machine, and I have no idea how you'd go about doing it from a windows machine. However, it certainly does work with vpopmail. I can add it to the vpopmail FAQ file. Better add the URL rather than my explanation... It's 32 degrees, I don't have air-conditioning, so I'm probably not making much sense! :) cheers, damon -- Damon Muller http://killfilter.com GPG Key: 0xA136E829
Re: vchkpw lacking authentication security
- Original Message - From: "Matt Simerson" [EMAIL PROTECTED] To: "'Tim Hassan'" [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, January 16, 2001 9:18 PM Subject: RE: vchkpw lacking authentication security I can't see how that could possibly be construed as a security drawback. POP is inherently insecure in the first place (sending clear text passwords across the net) and password sniffing is much more of a problem (and the easiest way to collect passwords) than people cracking passwords. All right. So, unless you're exclusively using a) POP3-SSL or POP over SSH to prevent password sniffing, If I use it, should the client change some in the pop configuration?. Is it difficult to set on a system?. b) shadow passwords (who isn't?), c) MD5 (or blowfish) passwords on your current system (to utilize more than 8 char passwords), and d) forcing users to actually USE long passwords it's quite silly to say that using DES is a security drawback to using vpopmail. The risk of having a password cracked is minimal on a userless system. Matt -Original Message- From: Tim Hassan [mailto:[EMAIL PROTECTED]] Sent: Monday, January 15, 2001 10:09 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: vchkpw lacking authentication security Dear Inter7 Developer: I recently discovered the following security drawback in vpopmail with vchkpw authentication: No matter how long you set the password to when adding a new user, only the first 8 characters of the password are used. So for example, if I do: ./vadduser [EMAIL PROTECTED] this-is-hard-to-guess-234234235-23423 and then I try to login to my email as user "test" and password "this-is-", it would let me in. As you may already know, any password below 8 characters is considered insecure, even if it was a combination of letters, numbers, and special characters. In other words, Standard DES crypto is used :( Best Regards, Tamer Hassan Thanks in advance -- Jess Arniz [EMAIL PROTECTED] Departamento de Sistemas - ARCOMEDIA.COM http://www.arcomedia.com/
Re: vchkpw lacking authentication security
Damon Muller wrote: On Tue, Jan 16, 2001 at 06:08:56AM +, Tim Hassan wrote: No matter how long you set the password to when adding a new user, only the first 8 characters of the password are used. So for example, if I do: ./vadduser [EMAIL PROTECTED] this-is-hard-to-guess-234234235-23423 and then I try to login to my email as user "test" and password "this-is-", it would let me in. This is standard Unix crypt behaviour. Unless you are using MD5 passwords on your system (or Blowfish, I believe, on OpenBSD), then your system accounts will show the same behaviour. Even an 8-character password, provided it is sufficiently complex, will probably prove unreasonably difficult to break. There is probably a way to force vpopmail to use MD5 if the system supports it. Anyone know what is it? Better still, do all your mail transfer over an encrypted SSH tunnel (the fetchmail docs show you how to do it with fetchmail, it's very simple). Unless you are using APOP (not well supported in vpopmail, IIRC), your password is going over the network in clear-text anyway. Could you post a url to the fetchmail docs on ssh tunnel? Or better yet post the startup line for tcpserver/vpopmail/ssh tunnel. I can add it to the vpopmail FAQ file. Ken Jones
Re: vchkpw lacking authentication security
On Tue, Jan 16, 2001 at 06:08:56AM +, Tim Hassan wrote: No matter how long you set the password to when adding a new user, only the first 8 characters of the password are used. So for example, if I do: ./vadduser [EMAIL PROTECTED] this-is-hard-to-guess-234234235-23423 and then I try to login to my email as user "test" and password "this-is-", it would let me in. This is standard Unix crypt behaviour. Unless you are using MD5 passwords on your system (or Blowfish, I believe, on OpenBSD), then your system accounts will show the same behaviour. Even an 8-character password, provided it is sufficiently complex, will probably prove unreasonably difficult to break. There is probably a way to force vpopmail to use MD5 if the system supports it. Anyone know what is it? Better still, do all your mail transfer over an encrypted SSH tunnel (the fetchmail docs show you how to do it with fetchmail, it's very simple). Unless you are using APOP (not well supported in vpopmail, IIRC), your password is going over the network in clear-text anyway. cheers, damon -- Damon Muller http://killfilter.com GPG Key: 0xA136E829
RE: vchkpw lacking authentication security
I can't see how that could possibly be construed as a security drawback. POP is inherently insecure in the first place (sending clear text passwords across the net) and password sniffing is much more of a problem (and the easiest way to collect passwords) than people cracking passwords. So, unless you're exclusively using a) POP3-SSL or POP over SSH to prevent password sniffing, b) shadow passwords (who isn't?), c) MD5 (or blowfish) passwords on your current system (to utilize more than 8 char passwords), and d) forcing users to actually USE long passwords it's quite silly to say that using DES is a security drawback to using vpopmail. The risk of having a password cracked is minimal on a userless system. Matt -Original Message- From: Tim Hassan [mailto:[EMAIL PROTECTED]] Sent: Monday, January 15, 2001 10:09 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: vchkpw lacking authentication security Dear Inter7 Developer: I recently discovered the following security drawback in vpopmail with vchkpw authentication: No matter how long you set the password to when adding a new user, only the first 8 characters of the password are used. So for example, if I do: ./vadduser [EMAIL PROTECTED] this-is-hard-to-guess-234234235-23423 and then I try to login to my email as user "test" and password "this-is-", it would let me in. As you may already know, any password below 8 characters is considered insecure, even if it was a combination of letters, numbers, and special characters. In other words, Standard DES crypto is used :( Best Regards, Tamer Hassan
Re: vchkpw lacking authentication security
Damon Muller [EMAIL PROTECTED] writes: This is standard Unix crypt behaviour. Unless you are using MD5 passwords on your system (or Blowfish, I believe, on OpenBSD), then your system accounts will show the same behaviour. There is probably a way to force vpopmail to use MD5 if the system supports it. Anyone know what is it? Is there any doc on how vchkpw uses DES versus MD5? Didn't see anything that details in the online stuff or man pages. I installed it on FreeBSD with MD5 and not DES and couldn't auth. After installing DES on BSD and rebuilding vchkpw it worked. Also, I'd like to migrate a few thousand users out of /etc/passwd with sendmail/popper and into vchkpw/sqwebmail/etc -- I'm very concerned about how to keep the authentication working. Any clues would be welcomed -- thanks!
vchkpw lacking authentication security
Dear Inter7 Developer: I recently discovered the following security drawback in vpopmail with vchkpw authentication: No matter how long you set the password to when adding a new user, only the first 8 characters of the password are used. So for example, if I do: ./vadduser [EMAIL PROTECTED] this-is-hard-to-guess-234234235-23423 and then I try to login to my email as user "test" and password "this-is-", it would let me in. As you may already know, any password below 8 characters is considered insecure, even if it was a combination of letters, numbers, and special characters. In other words, Standard DES crypto is used :( Best Regards, Tamer Hassan
