Re: [vchkpw] Re: passwords
On May 25, 2004, at 5:31 AM, Jean Wainer wrote: Is it possible to convert all "old" passwords from the old format (MD5-disabled crypt()) to the new format? If you have plain passwords enabled: yes. (..) Unfortunately this isn't my case. :( I guess it's not possible then, right? It might be possible to modify the "learn passwords" feature of vchkpw.c to update the password entry when a user authenticates and the old password record is in old-style crypt() instead of MD5 format. A slightly more dangerous option would be to enable learn passwords and delete any old-style passwords from the vpasswd files. The next time a user POPs in, it will set their password to whatever they used to connect. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
[vchkpw] Re: passwords
Hello Jean, On Tuesday, May 25, 2004 at 2:31:26 PM you wrote (at least in part): >>> Is it possible to convert all "old" passwords from the old format >>> (MD5-disabled crypt()) to the new format? >> If you have plain passwords enabled: yes. (..) > Unfortunately this isn't my case. :( > I guess it's not possible then, right? Right. The passwords are "non recoverable" and therefore you can't convert them into a state that enables you to "reencrypt" using MD5. Send an e-mail to all affected accounts and please them to change the password for their own safety using qmailadmin (or whatever front end you have set up). -- Best regards Peter Palmreuther There are never enough hours in a day, but always too many days before Saturday.
Re: [vchkpw] Re: passwords
> > Is it possible to convert all "old" passwords from the old format > > (MD5-disabled crypt()) to the new format? > > If you have plain passwords enabled: yes. (..) Unfortunately this isn't my case. :( I guess it's not possible then, right? thanks, --Jw. > If the probability of success is not almost one, then it is damn near > zero.
[vchkpw] Re: passwords
Hello Jean, On Monday, May 24, 2004 at 8:25:42 PM you wrote (at least in part): >> I assume your installation does not use MD5 routines in 'crypt()' >> function, [...] > Very interesting. > It seems that the problem occured only with the migrated domains > from other servers (the "museum" ones). Accounts created in the new > server, or accounts which had its password changed in the new server > does not have this problem. Would make sense. > Thanks a lot, Peter! You're welcome. > Is it possible to convert all "old" passwords from the old format > (MD5-disabled crypt()) to the new format? If you have plain passwords enabled: yes. Should be sufficient to delete the encrypted passwords from vpasswd (empty the second field) with 'awk') and let the users log in again. Authentication will/should succeed, because the clear password is still there and encrypted password will be set, as vchkpw recognizes it is empty. This is from the top of my head, I haven't tested recently or with one of the latest releases, so you're advised to test yourself with a non-important account before applying the change globally. Don't forget to run 'vmkpasswd $DOMAIN' after you modified the 'vpasswd' file(s) and before you try to login (e.g. via POP3). -- Best regards Peter Palmreuther If the probability of success is not almost one, then it is damn near zero.
Re: [vchkpw] Re: passwords
> Please create a test account with password 'password', test this > account and if it is authenticated with "garbage at the end" please > post the encrypted password from 'vpasswd' of this account. It didnt. > I assume your installation does not use MD5 routines in 'crypt()' > function, and therefore your passwords are limited to a maximum of 8 > characters. All passwords with exactly 8 characters (so NOT 'secret' > as this are only 6) than will be accepted if the first 8 characters of > input match. This is due to the fact 'crypt()', using only DES, only > takes the first 8 characters. A MD5-enabled 'crypt()' will not suffer > this limitations Very interesting. It seems that the problem occured only with the migrated domains from other servers (the "museum" ones). Accounts created in the new server, or accounts which had its password changed in the new server does not have this problem. > Maybe the 'museum' might be the problem: if their libcrypt is too old > it might be it's not yet aware of MD5, who knows. I guess that was it. Thanks a lot, Peter! Is it possible to convert all "old" passwords from the old format (MD5-disabled crypt()) to the new format? --Jw.
[vchkpw] Re: passwords
Hello Jean, On Monday, May 24, 2004 at 4:12:15 PM you wrote (at least in part): > My boss recently noticed something I didnt: vpopmail (noticed on > qmailadmin and squirrelmail using courier-imap) accepts passwords > with garbage at the end. > Lets say, my password is "secret". > If I type "secretJSDSDALSDKJFLASF", qmailadmin will accept it as > a valid password. It doesnt accept with garbage "inside" the > password, or before. Please create a test account with password 'password', test this account and if it is authenticated with "garbage at the end" please post the encrypted password from 'vpasswd' of this account. I assume your installation does not use MD5 routines in 'crypt()' function, and therefore your passwords are limited to a maximum of 8 characters. All passwords with exactly 8 characters (so NOT 'secret' as this are only 6) than will be accepted if the first 8 characters of input match. This is due to the fact 'crypt()', using only DES, only takes the first 8 characters. A MD5-enabled 'crypt()' will not suffer this limitations > How can I correct that? vpopmail should, when available, use automatically MD5-password. To be sure recompile vpopmail (don't forget a 'make clean' before) with all your configure options PLUS '--enable-md5-passwords'. If you have any '--disable-md5-passwords' option set, remove it. I don't know a save way to figure if your libcrypt.so supports MD5-passwords, but I've found that 'strings /lib/libcrypt.so.1 |grep -i md5' returned 'md5-crypt.c' and '__md5_crypt_r', which I'd take as a hint my libcrypt is MD5-enabled and the encrypted passwords in my vpasswd confirm this assumption. > Is this a known issue? Not I'm aware of. > I've tested with vpopmail 5.4.3 + qmailadmin 1.2.0 AND also with > vpopmail 4.9.10 + qmailadmin 0.45 (our "museum" servers), both have > the save problem. Maybe the 'museum' might be the problem: if their libcrypt is too old it might be it's not yet aware of MD5, who knows. -- Best regards Peter Palmreuther Use it up ... Wear it out. Make it do ... Or do without.
