At Wed, 20 Apr 2011 07:57:34 -0400, Ludovic Marcotte wrote: > > On 20/04/11 07:52, Martin Rabl wrote: > > Since when is md5 used for encrypting passwords in /etc/shadow?? > If the password string starts with $1$, it means it was MD5-encoded. > > My guess is that he strapped '$1$foobar' directly in the database > without stripping the leading $1$.
Yes, but it's also salted, and looking at SQLsource.m SOGo doesn't use any salt with md5/sha password options. That is actually very insecure and especially with md5 it's nowadays pretty easy to get the plaintext password using rainbow tables, but that's not the issue now... I also see that there is undocumented support for the "crypt" algorithm which uses the libc crypt(), the same function as used for /etc/shadow, which should make it possible to copy hashes unchanged from /etc/shadow AFAICS. Regards, Jeroen Dekkers -- users@sogo.nu https://inverse.ca/sogo/lists
