Re: [vchkpw] Crypt incompatibility
On Aug 27, 2004, at 2:29 PM, Jeremy Kister wrote:
Here's a patch I'm adding to vpopmail to fall back to using a non-MD5
salt if the host's crypt() doesn't handle MD5.
[..]
+ if (tmpstr[2] != '$') {
I know less than nothing about C, but shouldnt that be: 'if (tmpstr[0]
==
'$') {' ?
In an MD5-encrypted password, the salt will start with $1$. If you
push that salt into a DES-encrypted password, it will only use the
first two characters (and the third will become something other than
$).
So, the test tells you that what you thought would be an MD5-encrypted
password was actually DES-encrypted.
A compile-time test is a good idea though -- I'll try to add it as a
Feature Request on SourceForge so we don't forget about it. If you
have a SF account, feel free to make the request yourself.
--
Tom Collins - [EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/
Info on the Sniffter hand-held Network Tester: http://sniffter.com/
Re: [vchkpw] Crypt incompatibility
On Friday, August 27, 2004 2:00 PM, Tom Collins wrote:
> Your server's crypt() doesn't support MD5 passwords. You will need to
> rebuild vpopmail with the --disable-md5-passwords option.
You've solved my problem (after also recompiling/reinstalling qmail).
> If you compiled with clear password support, you might want to use your
> Perl skills to go through each vpasswd file and replace the current
> encrypted password with a new one (using a valid salt). If you delete
not tested too much, but it seems to have worked on my installation:
http://jeremy.kister.net/code/perl/vchkpw.fixcrypt.pl
> Here's a patch I'm adding to vpopmail to fall back to using a non-MD5
> salt if the host's crypt() doesn't handle MD5.
[..]
> + if (tmpstr[2] != '$') {
I know less than nothing about C, but shouldnt that be: 'if (tmpstr[0] ==
'$') {' ?
it might be good for this to get done at compile time (i.e. testing for MD5
support... failed! reconfigure using --disable-md5-passwords)
this whole experience also raises an interesting question -- perhaps
installations including the clear password shouldnt even use crypts.
Thanks, Tom
Jeremy Kister
http://jeremy.kister.net/
Re: [vchkpw] Crypt incompatibility
On Aug 27, 2004, at 10:33 AM, Jeremy Kister wrote:
What was used to generate the $1 salt for the original crypted
passwords?
your software.
~vpopmail/bin/vadduser [EMAIL PROTECTED] asdf, on Solaris 2.7 sparc
vpopmail
5.4.6
Your server's crypt() doesn't support MD5 passwords. You will need to
rebuild vpopmail with the --disable-md5-passwords option.
If you compiled with clear password support, you might want to use your
Perl skills to go through each vpasswd file and replace the current
encrypted password with a new one (using a valid salt). If you delete
the vpasswd.cdb file afterward, it should get regenerated automatically
(try doing a vuserinfo on the postmaster account to see if that
triggers regeneration).
Sorry about the bug. Thanks for pointing it out to us though.
Here's a patch I'm adding to vpopmail to fall back to using a non-MD5
salt if the host's crypt() doesn't handle MD5.
--- vpopmail.c 19 Aug 2004 05:42:35 - 1.28.2.7
+++ vpopmail.c 27 Aug 2004 17:55:49 -
@@ -606,6 +606,19 @@
tmpstr = crypt(clearpass,salt);
if ( tmpstr == NULL ) return(VA_CRYPT_FAILED);
+#ifdef MD5_PASSWORDS
+ /* Make sure this host's crypt supports MD5 passwords. If not,
+ * fall back on old-style crypt
+ */
+ if (tmpstr[2] != '$') {
+salt[0] = randltr();
+salt[1] = randltr();
+salt[2] = 0;
+tmpstr = crypt(clearpass,salt);
+if ( tmpstr == NULL ) return(VA_CRYPT_FAILED);
+ }
+#endif
+
strncpy(crypted,tmpstr, ssize);
return(VA_SUCCESS);
}
--
Tom Collins - [EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/
Info on the Sniffter hand-held Network Tester: http://sniffter.com/
Re: [vchkpw] Crypt incompatibility
On Friday, August 27, 2004 1:33 PM, Tom Collins wrote: > > What was used to generate the $1 salt for the original crypted > > passwords? Interestingly, *all* the crypts in every vpasswd (192 of them) start with $1, and all have been created using some version of vadduser. i just asked a friend, who's running vpopmail 5.4.6 on slackware 2.4.26, and all of his crypts start with $1$ Jeremy Kister http://jeremy.kister.net/
Fw: [vchkpw] Crypt incompatibility
On Friday, August 27, 2004 1:26 PM, Tom Collins wrote: > What was used to generate the $1 salt for the original crypted > passwords? your software. ~vpopmail/bin/vadduser [EMAIL PROTECTED] asdf, on Solaris 2.7 sparc vpopmail 5.4.6 Jeremy Kister http://jeremy.kister.net/
Re: [vchkpw] Crypt incompatibility
On Aug 27, 2004, at 10:11 AM, Jeremy Kister wrote: From the Solaris box: max> ./vchkpw.pl Email Address: [EMAIL PROTECTED] Password: asdf test: $1VUyx7YfKO2w - crypt: $1VUyx7YfKO2w Correct Password From the FreeBSD box: penny> ./vchkpw.pl Email Address: [EMAIL PROTECTED] Password: asdf test: $125a08DVKgFI - crypt: $1VUyx7YfKO2w Incorrect Password According to my docs for crypt(), '$' is not a valid salt character -- "0-9a-zA-Z./" are the only ones allowed, so using an invalid salt will have unpredictable results. What was used to generate the $1 salt for the original crypted passwords? -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
Fw: [vchkpw] Crypt incompatibility
On Friday, August 27, 2004 1:14 PM, Jeremy Kitchen wrote: > why? > > this question isn't related to vpopmail. You should ask your OS vendors, or > > some perl gurus. I'm not sure that you read my email. the vchkpw.pl was just debugging information. qmail-popup works fine, but smtp auth using vchkpw does not. Jeremy Kister http://jeremy.kister.net/
Re: [vchkpw] Crypt incompatibility
On Friday 27 August 2004 12:11 pm, Jeremy Kister wrote: [snip: I broke it] > I wrote my own vchkpw in perl (inspectable at: > http://jeremy.kister.net/code/perl/vchkpw.pl): why? this question isn't related to vpopmail. You should ask your OS vendors, or some perl gurus. -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 815.776.9465 int'l kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail
[vchkpw] Crypt incompatibility
I have vpopmail 5.4.5 on an array of Solaris sparc machines. One of Solaris machines hosts the qmail control files, the assign file, and the vpopmail domains directory. All the client machines deliver mail via NFS. I recently added a FreeBSD 5.2.1-R i386 box to the mix. This box can deliver fine to the spool, but a problem comes when trying to authenticate credentials (via smtp auth). penny> telnet 0 25 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. 220 qmail-03.example.net ESMTP AUTH LOGIN 334 VXNlcm5hbWU6 dGVzdEBleGFtcGxlLmNvbQ== 334 UGFzc3dvcmQ6 YXNkZg== 535 authentication failed (#5.7.1) I wrote my own vchkpw in perl (inspectable at: http://jeremy.kister.net/code/perl/vchkpw.pl): >From the Solaris box: max> ./vchkpw.pl Email Address: [EMAIL PROTECTED] Password: asdf test: $1VUyx7YfKO2w - crypt: $1VUyx7YfKO2w Correct Password >From the FreeBSD box: penny> ./vchkpw.pl Email Address: [EMAIL PROTECTED] Password: asdf test: $125a08DVKgFI - crypt: $1VUyx7YfKO2w Incorrect Password Interestingly, if i test the credentials with qmail-popup, authentication works: penny> /var/qmail/bin/qmail-popup /home/vpopmail/bin/vchkpw id +OK <28456.1093625622@/home/vpopmail/bin/vchkpw> USER [EMAIL PROTECTED] +OK PASS asdf uid=0(root) gid=0(wheel) groups=0(wheel), 5(operator) It seems that the crypt function in Solaris and FreeBSD are making different crypts even though they're using the same salt. If that's the case, how is qmail-popup working correctly? Any ideas how to fix this? Jeremy Kister http://jeremy.kister.net/
