[sork] Passwd

[Pedro Maia]

> Quoting Pedro Maia <dtread at ptweb.org>:
>
> > When i try to change the password it says to me "Failure in changing
> > password : Incorect Password" i've made some tests and i saw that the
> > problem is when passwd encrypts the password, it gets difrent from
> > the one encrypted by vpopmail.
>
> Find out what encryption vpopmail uses, and make sure you use the same
> one in your configuration:
>
> >         'encryption' => 'crypt',

the encryption that vpopmail uses by default is MD5 but in the configure i
used this "  --disable-md5-passwords    Use DES crypt() instead of MD5
encryption for passwords." so now it should use crypt()


>
> I would guess that is the one that should match.
>
> >         'clear_passwd' => 'pw_clear_passwd',
> >         'use_clear_passwd' => true
>
> Aren't you telling it there to use clear (unencrypted) passwords instead?

Those two fields are used, by example, by vqadmin to display clear passwords
but passwd has to know if vpopmail uses them to change 'pw_clear_passwd' to
the new password given, or else the encrypted passsword would be X and the
clear password would be Y. But I've tryed tu put 'use_clear_passwd' => false
and i got the same "Incorrect Password".


>
> --
> Eric Rostetter
> The Department of Physics
> The University of Texas at Austin
>
> Why get even? Get odd!
>
> -- 
> Sork mailing list - Join the hunt: http://horde.org/bounties/#sork
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: sork-unsubscribe at lists.horde.org
>

I've made a small hack to compare the encryptions of passwd with the ones in
the vpopmail database but none of them match. This is the hack

encripted - 9Xqm$rul9IBZ9Dw4lAQ6c6isJC. ,1- 698dc19d489c4e4db73e28a713eab07b
,2- aY3BnUicTk23PiinE+qwew== ,3- 9XeV1c7D3gnpo ,4-
Lm+bDViFtgEPkWd4dEVhf1U6c18= , 5- i°g*ÏsihX{”$\«öüi ,6- ó!6ÁØ|uKkØ)"³ ,
name - NULL , domain - NULL

where

9Xqm$rul9IBZ9Dw4lAQ6c6isJC -> vpopmail password in mysql

The following are encryptions by passwd and between () are the commands used
to encryption

698dc19d489c4e4db73e28a713eab07b -> md5 encrypted (md5($plaintext))
aY3BnUicTk23PiinE+qwew== -> md5-base64 (base64_encode(mHash(MHASH_MD5,
$plaintext)))
9XeV1c7D3gnpo -> crypt (crypt($plaintext, $salt))
Lm+bDViFtgEPkWd4dEVhf1U6c18= -> sha (mHash(MHASH_SHA1, $plaintext . $salt))
i°g*ÏsihX{”$\«öüi ,6- ó!6ÁØ|uKkØ)"³ -> ssha (mHash(MHASH_MD5,
$plaintext . $salt))

Where $plaintext is the password that we filled in "Old password" field and
$salt is "$salt = substr($encrypted , 0, 2);"

I think the problem is at $salt (it can only be because both use the same
function) but i dont see where.


Pedro Maia