> > > > I finally got motivated to move away from crypt passwords since on my
> >
> > > > system that limits the passwords to 8 characters. What I settled on was
> > > > SHA, since it seems to be supported everywhere I need it.
> > > > Unfortunately,
> > > > I can't get it to work anywhere and I can't tell why.
> > > >
> > > > I store my account data in MySQL. I changed the contents of my
> > > > encrypted
> > > password field (that was working 100% with crypt passwords) to look like
> this:
> > > >
> > > > {SHA}9afab6adfc0ec3d458fa314ddfd9b764e963144f
> > >
> > > This is MySQL-specific hex-encoded passwords.
> > >
> > > For Courier to recognize SHA passwords, they have to be base64-encoded,
> > > not
> > > hex-encoded, like it's done by OpenLDAP, and other systems.
> >
> > Ah, I see. That kind of encoding is also what PHP does by default unless
> > you
> > ask for the raw hash in PHP5+.
> >
> > Does anyone know if there is any way to produce a base64-encoded SHA hash
> using
> > MySQL? Does anyone here use MySQL and something other than crypt
> > passwords?
> > What do others do to avoid the 8 character limit (ideally, I like SSHA or
> > something else where a salt can be used)?
>
> Bump.
>
> Can anyone explain what they use to host passwords with more than 8
> characters
> in a MySQL-backed virtual accounts system? Most tutorials/howto guides
> mostly
> avoid the topic completely. I also use pam-mysql for sasl authentication,
> which
> limits my choices, but it seems to support SHA passwords. Is the only way to
> make base64-encoded SHA passwords to write a PHP script (PHP 5+ only) to do
> it
> the long way or learn to do it in another language???
So is everyone just using plain crypt? Does anyone care about better password
security??
I did a little bit more looking today and I see that pam-mysql supports system
crypt WITH md5. I think (but have not tested) that this means that it takes an
md5 of the password first and then crypts it. (Note that I hate to think it
does the opposite, because if you have the 8 character limit in crypt(),
crypting it and THEN taking the md5 won't solve that problem!) Does anyone
know for sure how it works?
Since feedback seems in short supply, I think I will try this some time soon,
but the outstanding question is if Courier can be taught how to deal with this
kind of "MD5CRYPT" password format???
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Courier-imap mailing list
[email protected]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
