Mike Miller writes:

> Any way to convert an entire large site of cdb files (probably 
> 150 domains) into MD5?  Actually coverting is the wrong word [since you 
> can't do that unless there is clear text passwords], but rather to have it 
> choose between both MD5 and CRYPT passwords (based on length) to migrate 
> from crypt to MD5?

I don't know how vpopmail handles this.  If it was written correctly then
most recent releases of *nix then both types of crypted password in the
cdb ought to be possible.

DES crypt requires two characters of salt chosen from A-Za-z0-9./ while
MD5 crypt requires eight characters from the same character set prefixed
by $1$.  The wrong way to code things is to examine the crypted password
(which starts with whatever salt has been used) and figure out whether
it's DES or MD5, extract the appropriate amount of salt and pass that
with the plaintext password to crypt and see if the result matches the
crypted password.  The really wrong way to code it is to fix at compile
time what type of crypt should be used when validating passwords.

The right way to code this is to use the crypted password itself, in its
entirety, as the salt for crypting the plaintext password when you
validate the password.  Versions of crypt which support MD5 also support 
using the entirety of the crypted password as salt and then figure out how 
much of that really is salt without you having to bother.  Do it this way 
and both types of crypted password can be used in the same file even though
when passwords are set or modified they will be converted to whichever type
of crypt you said you wanted to use.

If vpopmail does it that way then you can happily turn on MD5, with
existing passwords continuing to work and new or changed passwords
being MD5 crypted.  If vpopmail doesn't do it that way then you have
problems until the next release appears.

Paul Allen
Softflare Support

Reply via email to