[sork] RE: passwd (release 2.2) - Solaris, crypt(), MD5, DES,
vpopmail
Dorneles Treméa
dorneles at x3ng.com.br
Thu Oct 2 07:33:43 PDT 2003
Hi Dennis, Eric, Chuck
> My findings took me to vpopmail.c in vpopmail.
>
> 423 #ifdef MD5_PASSWORDS
>
> [...]
I already have noticed it and send a few mails to this
list addressing this issue.
> This define behavior is controlled by a configure directive
> --enable-md5-passwords=n \
>
> Turning off this directive allowed me to create non $1$ salts with
> vpopmail
But if you want to use MD5 with vpopmail, you can use the
attached path (against a -RELENG snapshot) who implements
the 'crypt-md5' encryption method, used by vpomail.
I have received some mails asking me for that patch. Is
there any way to include it on the CVS RELENG_2 brach
tree?
PS: Sorry for the long delay post... :-(
Thanks in advance,
--
Dorneles Treméa
Caxias do Sul - RS - Brasil
+55 54 9114 9312 - UIN: 2413568
X3ng Web Technology <http://www.x3ng.com.br>
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/IT d- s:->: a24 C+++ UBL++++$ P--- L++ E-- W+++
N++ o? K? w+ O M+ V-- PS+ PE- Y-- PGP++ t+ 5 X++ R+
tv+ b(++) DI+ D++ G+>+++ e++>++++ h---- r+++ y+++**
------END GEEK CODE BLOCK------
-------------- next part --------------
diff -ru passwd-RELENG/config/backends.php.dist passwd/config/backends.php.dist
--- passwd-RELENG/config/backends.php.dist 2003-02-05 13:48:13.000000000 -0200
+++ passwd/config/backends.php.dist 2003-03-06 21:15:57.000000000 -0300
@@ -46,6 +46,7 @@
* 5) smd5
* 6) sha
* 7) ssha
+ * 8) crypt-md5
*
* Currently, md5-base64, smd5, sha, and ssha require the mhash php
* library in order to work properly. See the INSTALL file for
@@ -182,9 +183,10 @@
'params' => array(
'phptype' => 'mysql',
'hostspec' => 'localhost',
+ 'protocol' => 'tcp',
'username' => '',
'password' => '',
- 'encryption' => 'crypt',
+ 'encryption' => 'crypt-md5',
'database' => 'vpopmail',
'table' => 'vpopmail',
'name' => 'pw_name',
diff -ru passwd-RELENG/lib/Driver.php passwd/lib/Driver.php
--- passwd-RELENG/lib/Driver.php 2003-02-15 18:16:26.000000000 -0200
+++ passwd/lib/Driver.php 2003-03-06 21:22:09.000000000 -0300
@@ -100,9 +100,16 @@
}
break;
case 'md5-base64':
- if ($encrypted == base64_encode(mHash(MHASH_MD5, $plaintext))) { return true;
+ if ($encrypted == base64_encode(mHash(MHASH_MD5, $plaintext))) {
+ return true;
}
break;
+ case 'crypt-md5':
+ $salt = substr($encrypted , 0, 8);
+ if ($encrypted == crypt($plaintext, $salt)) {
+ return true;
+ }
+ break;
case 'crypt':
$encrypted = substr($encrypted, 7);
$salt = substr($encrypted , 0, 2);
@@ -112,15 +119,14 @@
break;
case 'sha':
$encrypted = substr($encrypted, 5);
- if ($encrypted == base64_encode(mHash(MHASH_SHA1, $plaintext)))
-{
+ if ($encrypted == base64_encode(mHash(MHASH_SHA1, $plaintext))) {
return true;
}
break;
case 'ssha':
$encrypted = substr($encrypted, 6);
$hash = base64_decode($encrypted);
- $salt = substr($hash, 20);
+ $salt = substr($hash, 20);
if ($hash == mHash(MHASH_SHA1, $plaintext . $salt)) {
return true;
}
@@ -156,6 +162,20 @@
case "sha":
$newPassword = "{SHA}" . base64_encode(mHash(MHASH_SHA1, $newPassword));
break;
+ case "crypt-md5":
+ function randltr() {
+ $retval = ord('a');
+ $randnum = rand() % 64;
+ if ($randnum < 26) $retval = $randnum + ord('a');
+ if ($randnum > 25) $retval = $randnum - 26 + ord('A');
+ if ($randnum > 51) $retval = $randnum - 52 + ord('0');
+ if ($randnum == 62) $retval = ord(';');
+ if ($randnum == 63) $retval = ord('.');
+ return chr($retval);
+ }
+ $salt = '$1$' . randltr() . randltr() . randltr() . randltr();
+ $newPassword = crypt($newPassword,$salt);
+ break;
case "crypt":
// The salt is left out, generated by php
$newPassword = "{crypt}" . crypt($newPassword);
@@ -164,8 +184,7 @@
$newPassword = md5($newPassword);
break;
case "md5-base64":
- $newPassword = "{MD5}" . base64_encode(mHash(MHASH_MD5,
- $newPassword));
+ $newPassword = "{MD5}" . base64_encode(mHash(MHASH_MD5, $newPassword));
break;
case "ssha":
$salt = mhash_keygen_s2k(MHASH_SHA1,$newPassword,substr(pack("h*",md5(mt_rand())),0,8),4);
More information about the sork
mailing list