Joseph C. Lininger writes:
I am not using pam for authentication in Courier. I'm using authmysql. Probably the reason authentication works was pure luck, the way Courier makes the crypt (3) call. The SHA512 based password hashing in my implementation is compatible to an extent with the MD5 based algorithm in wider circulation. Depending on exactly how Courier reads the password string and processes it through crypt (3) it could likely work without you ever intending for it to have done. Having it carry over to password changes, now, that requires some handling. I'd be willing to make the modifications and submit a patch if you'd be willing to point me to a starting point in the code. I could find it myself, but as the author if you told me where to look you'd shave a lot of time off the analysis and modification time. I'll probably go ahead and make the modifications and at least make the capability available through a private patch even if you aren't interested in having it in the mainline Courier distribution because I and some people I work with have a use for it. If you want to use it though, I'll do the work to add it and give it to you in the form of a patch.
The problem is that Courier does not use crypt() to validate "$1$" formatted passwords. It essentially reimplements the entire algorithm that computes this hash. Except for the original crypt passwords, all hash functions are implemented natively in Courier. At the time of the original implementation, crypt() only did the crypt method, the new salted md5 passwords were implemented separately in glibc. From what you're telling me, it looks like all the hash functions have now been folded into crypt(), and that's how you pull this off.
Implementing the new hash function within the existing framework is going to be a bear. Reimplementing the entire $6$ algorithm will be an adventure. But if you want to give it a shot:
All the password stuff is in the courier-authlib package. Verifying an existing password is done in authcheckpassword(), in checkpassword.c. Changing an existing password is implemented in authcryptpasswd(), in cryptpassword.c.
This code is fairly old, but it works. If you want to take a shot in cleaning it up, go for it.
pgp8QcVN8Pjq0.pgp
Description: PGP signature
------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
_______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
