svarshavchik / courier

Courier Mail Server
http://www.courier-mta.org
76 stars 15 forks source link

Documentation: Explain how crypted passwords can be discerned #13

Closed avengerx closed 2 years ago

avengerx commented 6 years ago

Hi! I could only realize how passwords could be identified from courier-authlib once I opened the source code and read thru it... Which is a pretty cool implementation, I must say!

I may just have looked at the wrong place and felt like asking it here then... If I'm right, I may try to contribute a pull request to increment on that documentation, as the feature works.

On several other tools we usually choose the hashing algorithm for the passwords instead of letting the authenticator identify it by itself. Anyway, this does not matter that much... it would just help to have documented and mentioned about in the places they are relevant.

For instance, these are relevant candidates for mention: https://github.com/svarshavchik/courier/blob/master/courier-authlib/README.authmysql.html#L60 https://github.com/svarshavchik/courier/blob/master/courier-authlib/README.authmysql.myownquery#L500-L507

Somewhere in the Debugging document, maybe?

Or...maybe.... a new README.crypt_pw.html?

Actually I think best would be to just add it to the README.authmysql.html file (although this crypted password could come from PAM, system or other methods/modules).

It seems the essential matching is here: cryptpassword.c:74-125 Or even better: checkpassword.c:39-55.

And what happened to lead me here was: I encrypted passwords in MySQL (MariaDB) using the md5() builtin function. So all I needed to do in order for that password to work was to mangle the select to show it as concat('{MD5RAW}', table.passwordfield). Trying $1$ or {MD5} did not match.

Maybe as a new feature, it could consider a crypted string of 32 characters as a {MD5RAW} candidate? As long as crypted, I don't think other algorythms will match this length.

svarshavchik commented 6 years ago

I am not familiar with mysql's md5() function. Feel free to submit a patch.

mckaygerhard commented 5 years ago

hi @svarshavchik -- seems courier adde "{MD5RAW}" to the same result in any md5 similar normal results, or the returned for mysql's MD5 and postgres md5 functions:

# authpasswd md5raw
Password: 
Reenter password: 
{MD5RAW}c4ca4238a0b923820dcc509a6f75849b

# /usr/bin/php5 -r "echo '{MD5RAW}'.md5(1).PHP_EOL;"
{MD5RAW}c4ca4238a0b923820dcc509a6f75849

# mysql -u root -p
Enter password: 
mysql> select concat('{MD5RAW}', md5('1'));
+------------------------------------------+
| concat('{MD5RAW}', md5('1'))             |
+------------------------------------------+
| {MD5RAW}c4ca4238a0b923820dcc509a6f75849b |
+------------------------------------------+
1 row in set (0.00 sec)
mysql> Bye
svarshavchik commented 5 years ago

That's entirely possible. {MD5} was already in use as means of representing a base64-encoded MD5 hash, which is shorter. When other libraries began supporting hexadecimal-encoded MD5 hashes, this was implemented as {MD5RAW}

mckaygerhard commented 5 years ago

so you can adde that piece of my comment to the documentation page.. cited the issue comment at the botton of please.. so many users can implement more easy the courier-imag by mysql/postgres/odbc etc ?

courier are one of the most difficult mails services combo software to setup due lack of translated documentation.. but with more examples and notes that will change it!

svarshavchik commented 5 years ago

I can certainly review a pull request, but I don't see anything here that can be formatted as additional documentation.

mckaygerhard commented 5 years ago

I can certainly review a pull request, but I don't see anything here that can be formatted as additional documentation.

ok currently i'm very busy due i have some problems due language barrier on my upgrade setups.. after i finished my jobs.. i'll send some contributions