[sork] Passwd

Pedro Maia dtread at ptweb.org
Tue Mar 16 06:22:44 PST 2004 


>
> > Quoting Pedro Maia <dtread at ptweb.org>:
> >
> > > When i try to change the password it says to me "Failure in changing
> > > password : Incorect Password" i've made some tests and i saw that the
> > > problem is when passwd encrypts the password, it gets difrent from
> > > the one encrypted by vpopmail.
> >
> > Find out what encryption vpopmail uses, and make sure you use the same
> > one in your configuration:
> >
> > >         'encryption' => 'crypt',
>
> the encryption that vpopmail uses by default is MD5 but in the configure i
> used this "  --disable-md5-passwords    Use DES crypt() instead of MD5
> encryption for passwords." so now it should use crypt()
>
>
> >
> > I would guess that is the one that should match.
> >
> > >         'clear_passwd' => 'pw_clear_passwd',
> > >         'use_clear_passwd' => true
> >
> > Aren't you telling it there to use clear (unencrypted) passwords
instead?
>
> Those two fields are used, by example, by vqadmin to display clear
passwords
> but passwd has to know if vpopmail uses them to change 'pw_clear_passwd'
to
> the new password given, or else the encrypted passsword would be X and the
> clear password would be Y. But I've tryed tu put 'use_clear_passwd' =>
false
> and i got the same "Incorrect Password".
>
>
> >
> > --
> > Eric Rostetter
> > The Department of Physics
> > The University of Texas at Austin
> >
> > Why get even? Get odd!
> >
> > -- 
> > Sork mailing list - Join the hunt: http://horde.org/bounties/#sork
> > Frequently Asked Questions: http://horde.org/faq/
> > To unsubscribe, mail: sork-unsubscribe at lists.horde.org
> >
>
> I've made a small hack to compare the encryptions of passwd with the ones
in
> the vpopmail database but none of them match. This is the hack
>
> encripted - 9Xqm$rul9IBZ9Dw4lAQ6c6isJC. ,1-
698dc19d489c4e4db73e28a713eab07b
> ,2- aY3BnUicTk23PiinE+qwew== ,3- 9XeV1c7D3gnpo ,4-
> Lm+bDViFtgEPkWd4dEVhf1U6c18= , 5- i°g*ÏsihX{”$\«öüi ,6- ó!6ÁØ|uKkØ)"³
,
> name - NULL , domain - NULL
>
> where
>
> 9Xqm$rul9IBZ9Dw4lAQ6c6isJC -> vpopmail password in mysql
>
> The following are encryptions by passwd and between () are the commands
used
> to encryption
>
> 698dc19d489c4e4db73e28a713eab07b -> md5 encrypted (md5($plaintext))
> aY3BnUicTk23PiinE+qwew== -> md5-base64 (base64_encode(mHash(MHASH_MD5,
> $plaintext)))
> 9XeV1c7D3gnpo -> crypt (crypt($plaintext, $salt))
> Lm+bDViFtgEPkWd4dEVhf1U6c18= -> sha (mHash(MHASH_SHA1, $plaintext .
$salt))
> i°g*ÏsihX{”$\«öüi ,6- ó!6ÁØ|uKkØ)"³ -> ssha (mHash(MHASH_MD5,
> $plaintext . $salt))
>
> Where $plaintext is the password that we filled in "Old password" field
and
> $salt is "$salt = substr($encrypted , 0, 2);"
>
> I think the problem is at $salt (it can only be because both use the same
> function) but i dont see where.
>
>
> Pedro Maia

Yes it was salt :)

Line 108 at passwd/lib/Driver.php

            case 'crypt':
                $encrypted = substr($encrypted, 7);
                $salt = substr($encrypted , 0, 2);

we have to replace it by

           case 'crypt':
                $salt = $encrypted;

because the vpopmail function to crypt is

int vauth_crypt(char *user,char *domain,char *clear_pass,struct vqpasswd
*vpw)
{
  if ( vpw == NULL ) return(-1);
  return(strcmp(crypt(clear_pass,vpw->pw_passwd),vpw->pw_passwd));
}

Pedro Maia

More information about the sork mailing list