On Monday, May 24, 2004 at 4:12:15 PM you wrote (at least in part):
> My boss recently noticed something I didnt: vpopmail (noticed on
> qmailadmin and squirrelmail using courier-imap) accepts passwords
> with garbage at the end.
> Lets say, my password is "secret".
> If I type "secretJSDSDALSDKJFLASF", qmailadmin will accept it as
> a valid password. It doesnt accept with garbage "inside" the
> password, or before.
Please create a test account with password 'password', test this
account and if it is authenticated with "garbage at the end" please
post the encrypted password from 'vpasswd' of this account.
I assume your installation does not use MD5 routines in 'crypt()'
function, and therefore your passwords are limited to a maximum of 8
characters. All passwords with exactly 8 characters (so NOT 'secret'
as this are only 6) than will be accepted if the first 8 characters of
input match. This is due to the fact 'crypt()', using only DES, only
takes the first 8 characters. A MD5-enabled 'crypt()' will not suffer
> How can I correct that?
vpopmail should, when available, use automatically MD5-password. To be
sure recompile vpopmail (don't forget a 'make clean' before) with all
your configure options PLUS '--enable-md5-passwords'. If you have any
'--disable-md5-passwords' option set, remove it.
I don't know a save way to figure if your libcrypt.so supports
MD5-passwords, but I've found that
'strings /lib/libcrypt.so.1 |grep -i md5'
returned 'md5-crypt.c' and '__md5_crypt_r', which I'd take as a hint
my libcrypt is MD5-enabled and the encrypted passwords in my vpasswd
confirm this assumption.
> Is this a known issue?
Not I'm aware of.
> I've tested with vpopmail 5.4.3 + qmailadmin 1.2.0 AND also with
> vpopmail 4.9.10 + qmailadmin 0.45 (our "museum" servers), both have
> the save problem.
Maybe the 'museum' might be the problem: if their libcrypt is too old
it might be it's not yet aware of MD5, who knows.
Use it up ... Wear it out. Make it do ... Or do without.