Hi again, this is what I've found regarding how Drupal 7 hashes.
$hash = md5($salt . $password, TRUE); do { $hash = md5($hash . $password, TRUE); } while (--$count); The whole final hash value is encoded into 16 base64 characters and prepended by an identifying string, the standard phpass MD5 mode uses $P$ (Drupal’s modified version uses $S$ to indicate SHA-512) and a single base64 character to indicate the number of MD5 iterations used. Examples of a hashed password are: # Drupal 7 hash $S$CgwilRJS4VIF1.2y0R7B4qkXJ8F8SJPcuvXRKGlMWESVXMST.5n4 WordPress 3.0.4 uses the phpass default of 8193 iterations ($count being 8192) and Drupal 7 uses 16385 — notice that the Drupal password has C after the identifier whereas WordPress has B, converted from crypt style base64 (character set [./0-9A-Za-z]) these are 14 and 13 respectively, then take 214 + 1 = 16385. A John the Ripper benchmark, after patching and enabling the usage of phpass portable passwords (WordPress style, 8193 iterations), quotes approximately 700 passwords checked per second. Can I use this inforamtion to make Dovecot understand how to interpret the hash? Thanks! Regards Tobias On Mon, 11 Mar 2013 14:00:22 -0500, "l...@airstreamcomm.net" <l...@airstreamcomm.net> wrote: > On 3/11/13 11:57 AM, i...@stos.se wrote: >> Hi >> >> I'm trying to get Dovecot to use Drupal users password for authenticating >> IMAP users. But I just cant figure out how to make Dovecot understand the >> password hash type that Drupal 7 is using. >> >> My example user with password Teacher1 looks like this in Drupal >> database: >> $S$DZwJa.U8HXT2PvTmwCK13rGEYEvnx5DB6/hlqnfCBum4s4U7MVWU >> >> Dovecot retrieves this hash but complains that its not a recognized hash >> type, or that the hash is wrong, depending on if I change the default >> hash >> type in Dovecot config. >> >> Any help appreciated. >> >> >> root@SSiS:/etc/postfix# dovecot --version >> 1.2.15 >> root@SSiS:/etc/postfix# dovecot -n >> # 1.2.15: /etc/dovecot/dovecot.conf >> # OS: Linux 2.6.32-12-pve i686 Debian 6.0.7 simfs >> log_timestamp: %Y-%m-%d %H:%M:%S >> login_dir: /var/run/dovecot/login >> login_executable: /usr/lib/dovecot/imap-login >> mail_privileged_group: mail >> mail_location: maildir:/home/vmail/ >> mbox_write_locks: fcntl dotlock >> auth default: >> verbose: yes >> debug: yes >> debug_passwords: yes >> passdb: >> driver: pam >> passdb: >> driver: sql >> args: /etc/dovecot/dovecot-sql.conf >> userdb: >> driver: passwd >> root@SSiS:/etc/postfix# >> root@SSiS:/etc/postfix# grep -v '^ *\(#.*\)\?$' >> /etc/dovecot/dovecot-sql.conf >> driver = mysql >> connect = host=127.0.0.1 dbname=Drupal user=Dru_Adm password=localu >> default_pass_scheme = CRYPT >> password_query = SELECT name AS user, pass AS password FROM users WHERE >> name='%n' >> user_query = SELECT >> CONCAT(SUBSTRING_INDEX(mail,'@',-1),'/',SUBSTRING_INDEX(mail,'@',1),'/') >> AS >> mail FROM users WHERE name='%n' >> root@SSiS:/etc/postfix# tail /var/log/mail.log >> Mar 11 16:17:42 SSiS dovecot: auth(default): new auth connection: >> pid=8593 >> Mar 11 16:17:51 SSiS dovecot: auth(default): client in: >> AUTH#0111#011PLAIN#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=52316#011resp=AFRlYWNoZXIxAFRlYWNoZXIx >> Mar 11 16:17:51 SSiS dovecot: auth-worker(default): >> pam(Teacher1,127.0.0.1): lookup service=dovecot >> Mar 11 16:17:51 SSiS dovecot: auth-worker(default): >> pam(Teacher1,127.0.0.1): #1/1 style=1 msg=Password: >> Mar 11 16:17:54 SSiS dovecot: auth-worker(default): >> pam(Teacher1,127.0.0.1): pam_authenticate() failed: Authentication >> failure >> (password mismatch?) (given password: Teacher1) >> Mar 11 16:17:54 SSiS dovecot: auth-worker(default): >> sql(Teacher1,127.0.0.1): query: SELECT name AS user, pass AS password >> FROM >> users WHERE name='Teacher1' >> Mar 11 16:17:54 SSiS dovecot: auth-worker(default): >> sql(Teacher1,127.0.0.1): Password mismatch >> Mar 11 16:17:54 SSiS dovecot: auth-worker(default): md5_verify(Teacher1): >> Not a valid MD5-CRYPT or PLAIN-MD5 password >> Mar 11 16:17:54 SSiS dovecot: auth-worker(default): Invalid OTP data in >> passdb >> Mar 11 16:17:54 SSiS dovecot: auth-worker(default): Invalid OTP data in >> passdb >> Mar 11 16:17:54 SSiS dovecot: auth-worker(default): >> sql(Teacher1,127.0.0.1): CRYPT(Teacher1) != >> '$S$DZwJa.U8HXT2PvTmwCK13rGEYEvnx5DB6/hlqnfCBum4s4U7MVWU' >> Mar 11 16:17:56 SSiS dovecot: auth(default): client out: >> FAIL#0111#011user=Teacher1 >> Mar 11 16:18:01 SSiS dovecot: imap-login: Disconnected: Too many invalid >> commands (auth failed, 1 attempts): user=<Teacher1>, method=PLAIN, >> rip=127.0.0.1, lip=127.0.0.1, secured >> Mar 11 16:32:36 SSiS dovecot: auth(default): new auth connection: >> pid=9075 >> Mar 11 16:32:41 SSiS dovecot: imap-login: Disconnected: Too many invalid >> commands (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, secured >> root@SSiS:/etc/postfix# >> >> > As far as I understand Drupal uses salted passwords, so you would need > to return the password + salt in the sql query. I am not sure what > position the salt is offset for a password with Drupal, but that should > be simple to determine looking at the source.