Dear all,

Assume a Debian installation running Dovecot and Postfix. So
Dovecot authenticates users from the data in MySQL. Postfix
authenticates users using Dovecot. Credentials are stored in a
MySQL database in the crypt form (DES).

Disadvantages of crypt are:
- no salt
- password truncation after 8 characters

I want to upgrade the password storage from crypt to SSHA512,
which makes hashes harder to crack in case the hashes get stolen.
bcrypt/scrypt would be even better, although Dovecot does not seem
to support these natively (am I right here?).

Anyway:
In order to convert the hashes, I need the cleartext passwords. So one
idea would be to tell Dovecot to spit out the cleartext password when
a user authenticates via POP or IMAP. Do you know of any such
functionality?

Another approach would be to do some PAM hacking and change
Dovecot so that it authenticates over PAM. An intermediate (maybe
custom) PAM module would then grab the password and store its
SSHA512 hash in a new db field of that particular user. After a while,
I could delete the old crypt hashes and switch over to SSHA512.

So before I start hacking something together, I wanted to ask if anyone
already knows a solution for this? Given the recent large password
leaks (e.g. Linkedin), a few others probably thought about this. See
Table I in http://www.bsdcan.org/2009/schedule/attachments/87_scrypt.pdf

Thanks,
Sebastian


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: D2A69881-AE45-47C8-A26E-4CF3B19BF12E@really-force.net">http://lists.debian.org/D2A69881-AE45-47C8-A26E-4CF3B19BF12E@really-force.net

Sebastian <debian@really-force.net> wrote:
> Assume a Debian installation running Dovecot and Postfix.

> I want to upgrade the password storage from crypt to SSHA512,
> which makes hashes harder to crack in case the hashes get stolen.
> bcrypt/scrypt would be even better, although Dovecot does not seem
> to support these natively (am I right here?).

That may depend on which version of Dovecot you're running:
- http://wiki2.dovecot.org/Authentication/PasswordSchemes
- http://wiki.dovecot.org/Authentication/PasswordSchemes


> In order to convert the hashes, I need the cleartext passwords. So one
> idea would be to tell Dovecot to spit out the cleartext password when
> a user authenticates via POP or IMAP. Do you know of any such
> functionality?

On my implementation, setting auth_debug_password=yes may well generate
passwords in the logfile. (It's supposed to write them only on a
password mismatch, but I get them since I've got two authentication
sources enabled and mostly only one of them has matching data.)


> So before I start hacking something together, I wanted to ask if anyone
> already knows a solution for this? Given the recent large password
> leaks (e.g. Linkedin), a few others probably thought about this. See
> Table I in http://www.bsdcan.org/2009/schedule/attachments/87_scrypt.pdf

Given these leaks, you really need to ask whether you want to be
collecting plain text passwords. Maybe you should provide a "reset
password" function and push people to use that. (Looking at the scheme
label prefixing each password will allow you to determine who has upgraded
and who hasn't.)

Chris


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: f29mh9xbv5.ln2@news.roaima.co.uk">http://lists.debian.org/f29mh9xbv5.ln2@news.roaima.co.uk

On Wed, 05 Sep 2012 18:02:40 +0200, Sebastian wrote:

(...)

> I want to upgrade the password storage from crypt to SSHA512, which
> makes hashes harder to crack in case the hashes get stolen.
> bcrypt/scrypt would be even better, although Dovecot does not seem to
> support these natively (am I right here?).

According to this recent post I think you're right:

http://www.dovecot.org/list/dovecot/2012-July/067156.html

> Anyway:
> In order to convert the hashes, I need the cleartext passwords. So one
> idea would be to tell Dovecot to spit out the cleartext password when a
> user authenticates via POP or IMAP. Do you know of any such
> functionality?

(...)

Maybe this is worth reading:

http://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/k2af4c$vdj$10@ger.gmane.org

On 6. Sep 2012, at 17:22 PM, Camaleón wrote:
>> Anyway:
>> In order to convert the hashes, I need the cleartext passwords. So one
>> idea would be to tell Dovecot to spit out the cleartext password when a
>> user authenticates via POP or IMAP. Do you know of any such
>> functionality?
>
> (...)
>
> Maybe this is worth reading:
>
> http://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes

This is pretty much exactly what I was looking for. Thanks!

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: ED091E50-7980-4068-9A8D-707E6BCEEFAD@seecurity.org">http://lists.debian.org/ED091E50-7980-4068-9A8D-707E6BCEEFAD@seecurity.org