Hello Jean,

On Monday, May 24, 2004 at 4:12:15 PM you wrote (at least in part):

> My boss recently noticed something I didnt: vpopmail (noticed on
> qmailadmin and squirrelmail using courier-imap) accepts passwords
> with garbage at the end.

> Lets say, my password is "secret".
> If I type "secretJSDSDALSDKJFLASF", qmailadmin will accept it as
> a valid password. It doesnt accept with garbage "inside" the
> password, or before.

Please create a test account with password 'password', test this
account and if it is authenticated with "garbage at the end" please
post the encrypted password from 'vpasswd' of this account.

I assume your installation does not use MD5 routines in 'crypt()'
function, and therefore your passwords are limited to a maximum of 8
characters. All passwords with exactly 8 characters (so NOT 'secret'
as this are only 6) than will be accepted if the first 8 characters of
input match. This is due to the fact 'crypt()', using only DES, only
takes the first 8 characters. A MD5-enabled 'crypt()' will not suffer
this limitations

> How can I correct that?

vpopmail should, when available, use automatically MD5-password. To be
sure recompile vpopmail (don't forget a 'make clean' before) with all
your configure options PLUS '--enable-md5-passwords'. If you have any
'--disable-md5-passwords' option set, remove it.

I don't know a save way to figure if your libcrypt.so supports
MD5-passwords, but I've found that
'strings /lib/libcrypt.so.1 |grep -i md5'

returned 'md5-crypt.c' and '__md5_crypt_r', which I'd take as a hint
my libcrypt is MD5-enabled and the encrypted passwords in my vpasswd
confirm this assumption.

> Is this a known issue?

Not I'm aware of.

> I've tested with vpopmail 5.4.3 + qmailadmin 1.2.0 AND also with
> vpopmail 4.9.10 + qmailadmin 0.45 (our "museum" servers), both have
> the save problem.

Maybe the 'museum' might be the problem: if their libcrypt is too old
it might be it's not yet aware of MD5, who knows.
Best regards
Peter Palmreuther

Use it up ... Wear it out.  Make it do ... Or do without.

Reply via email to