Mailing List Archive: DBMail: users

Question about passwords

Index | Next | Previous | View Threaded

auryn at zirakzigil

Nov 12, 2008, 6:41 AM

Post #1 of 17 (1935 views)
Permalink

Question about passwords

I'm developing a small web application to allow user to change
their passwords.
In the authentication phase I need to check that the user has inserted
the right password. To do this I query the dbmail_users table like this:

select * from dbmail_users where userid='name [at] domai' and
password=md5('password');

Well, to make it short this doesn't always work.

I have imported users from an old vpopmail installation and all the
passwords
begin with "$1$...".
If I try
select md5("password")

the result doesn't begin with "$".

If I replace my password with md5('mypassword') it works correctly, however.
This leads me to think that the dbmail authentication mechanism checks the
supplied passwords more than in one way, before accepting or denying access.

So my request is: can the developers tell me what other check should I
enforce,
both as mysql functions (I don't believe there are any beside than md5()) or
operating system calls (perl, for example), to get all the possible
encodings of my
password?

Thanks.
_______________________________________________
DBmail mailing list
DBmail [at] dbmail
https://mailman.fastxs.nl/mailman/listinfo/dbmail

mysql.jorge at decimal

Nov 12, 2008, 6:43 AM

Post #2 of 17 (1879 views)
Permalink

RE: Question about passwords [In reply to]

> I have imported users from an old vpopmail installation and all the
> passwords
> begin with "$1$...".
> If I try
> select md5("password")
>

That means that the passwords are in CRYPT format.

_______________________________________________
DBmail mailing list
DBmail [at] dbmail
https://mailman.fastxs.nl/mailman/listinfo/dbmail

auryn at zirakzigil

Nov 12, 2008, 6:50 AM

Post #3 of 17 (1866 views)
Permalink

Re: Question about passwords [In reply to]

Jorge Bastos wrote:
>> I have imported users from an old vpopmail installation and all the
>> passwords
>> begin with "$1$...".
>> If I try
>> select md5("password")
>>
>>
>
> That means that the passwords are in CRYPT format.
>
>
Ok, if so how should I check them in mysql?
_______________________________________________
DBmail mailing list
DBmail [at] dbmail
https://mailman.fastxs.nl/mailman/listinfo/dbmail

auryn at zirakzigil

Nov 12, 2008, 6:55 AM

Post #4 of 17 (1868 views)
Permalink

Re: Question about passwords [In reply to]

Jorge Bastos wrote:
>> I have imported users from an old vpopmail installation and all the
>> passwords
>> begin with "$1$...".
>> If I try
>> select md5("password")
>>
>>
>
> That means that the passwords are in CRYPT format.
>
>

No, crypt passwords don't begin with "$", just tried...
_______________________________________________
DBmail mailing list
DBmail [at] dbmail
https://mailman.fastxs.nl/mailman/listinfo/dbmail

auryn at zirakzigil

Nov 12, 2008, 7:06 AM

Post #5 of 17 (1867 views)
Permalink

Re: Question about passwords [In reply to]

Giulio Ferro wrote:
> No, crypt passwords don't begin with "$", just tried...

I've tried to change my password with dbmail-users with all possible
mechanisms (md5-hash, md5-digest, md5-bas64, crypt), but none of
those yields the same password as the one from the old system.

md5-hash begins with "$1$", though...
_______________________________________________
DBmail mailing list
DBmail [at] dbmail
https://mailman.fastxs.nl/mailman/listinfo/dbmail

mysql.jorge at decimal

Nov 12, 2008, 7:12 AM

Post #6 of 17 (1871 views)
Permalink

RE: Question about passwords [In reply to]

Are you sure? I think you are wrong!

+----------------------------------+
| md5('hello') |
+----------------------------------+
| 5d41402abc4b2a76b9719d911017c592 |
+----------------------------------+
1 row in set (0.01 sec)

> -----Original Message-----
> From: dbmail-bounces [at] dbmail [mailto:dbmail-bounces [at] dbmail] On
> Behalf Of Giulio Ferro
> Sent: quarta-feira, 12 de Novembro de 2008 15:06
> To: DBMail mailinglist
> Subject: Re: [Dbmail] Question about passwords
>
> Giulio Ferro wrote:
> > No, crypt passwords don't begin with "$", just tried...
>
> I've tried to change my password with dbmail-users with all possible
> mechanisms (md5-hash, md5-digest, md5-bas64, crypt), but none of
> those yields the same password as the one from the old system.
>
> md5-hash begins with "$1$", though...
> _______________________________________________
> DBmail mailing list
> DBmail [at] dbmail
> https://mailman.fastxs.nl/mailman/listinfo/dbmail

_______________________________________________
DBmail mailing list
DBmail [at] dbmail
https://mailman.fastxs.nl/mailman/listinfo/dbmail

auryn at zirakzigil

Nov 12, 2008, 7:26 AM

Post #7 of 17 (1870 views)
Permalink

Re: Question about passwords [In reply to]

Jorge Bastos wrote:
> Are you sure? I think you are wrong!
>
> mysql> select md5('hello');
> +----------------------------------+
> | md5('hello') |
> +----------------------------------+
> | 5d41402abc4b2a76b9719d911017c592 |
> +----------------------------------+
> 1 row in set (0.01 sec)
>
>

Yes, this is correct, but it doesn't begin with "$1$" so it's different
from the vpopmail password...

This is how Vpopmail encodes "hello":
$1$MXpNvihd$cya2POi/0xyg3eMnEQvkr1

Dbmail can verify this password, but I don't know how, since changing the
password with md5-hash yields:
$1$gIj47gF0$gkXNFpjlur1xyApcwdNXu/

(begins with $1$, but it's different from the vpopmail one)

I hope the problem is clearer, now...
_______________________________________________
DBmail mailing list
DBmail [at] dbmail
https://mailman.fastxs.nl/mailman/listinfo/dbmail

aleksander at krediidiinfo

Nov 12, 2008, 7:31 AM

Post #8 of 17 (1869 views)
Permalink

Re: Question about passwords [In reply to]

Giulio Ferro wrote:

> This leads me to think that the dbmail authentication mechanism checks the
> supplied passwords more than in one way, before accepting or denying
> access.

I don't know, but have a look at the dbmail code responsible for
authentication. dbmail.org and the downloads section.

Regards,

--

Aleksander Kamenik
System Administrator
Krediidiinfo AS
an Experian Company
Phone: +372 665 9649
Email: aleksander [at] krediidiinfo

http://www.krediidiinfo.ee/
http://www.experiangroup.com/
_______________________________________________
DBmail mailing list
DBmail [at] dbmail
https://mailman.fastxs.nl/mailman/listinfo/dbmail

mysql.jorge at decimal

Nov 12, 2008, 7:31 AM

Post #9 of 17 (1872 views)
Permalink

RE: Question about passwords [In reply to]

> -----Original Message-----
> From: dbmail-bounces [at] dbmail [mailto:dbmail-bounces [at] dbmail] On
> Behalf Of Giulio Ferro
> Sent: quarta-feira, 12 de Novembro de 2008 15:27
> To: DBMail mailinglist
> Subject: Re: [Dbmail] Question about passwords
>
> Jorge Bastos wrote:
> > Are you sure? I think you are wrong!
> >
> > mysql> select md5('hello');
> > +----------------------------------+
> > | md5('hello') |
> > +----------------------------------+
> > | 5d41402abc4b2a76b9719d911017c592 |
> > +----------------------------------+
> > 1 row in set (0.01 sec)
> >
> >
>
> Yes, this is correct, but it doesn't begin with "$1$" so it's different
> from the vpopmail password...
>
> This is how Vpopmail encodes "hello":
> $1$MXpNvihd$cya2POi/0xyg3eMnEQvkr1
>
>
> Dbmail can verify this password, but I don't know how, since changing
> the
> password with md5-hash yields:
> $1$gIj47gF0$gkXNFpjlur1xyApcwdNXu/
>
> (begins with $1$, but it's different from the vpopmail one)
>
> I hope the problem is clearer, now...
> _______________________________________________

That is crypt password

In dbmail just put "crypt" in to the auth type field in the dbmail_users
table

_______________________________________________
DBmail mailing list
DBmail [at] dbmail
https://mailman.fastxs.nl/mailman/listinfo/dbmail

auryn at zirakzigil

Nov 12, 2008, 7:39 AM

Post #10 of 17 (1870 views)
Permalink

Re: Question about passwords [In reply to]

Jorge Bastos wrote:
>> This is how Vpopmail encodes "hello":
>> $1$MXpNvihd$cya2POi/0xyg3eMnEQvkr1
>>
>>
>> Dbmail can verify this password, but I don't know how, since changing
>> the
>> password with md5-hash yields:
>> $1$gIj47gF0$gkXNFpjlur1xyApcwdNXu/
>>
>> (begins with $1$, but it's different from the vpopmail one)
>>
>> I hope the problem is clearer, now...
>> _______________________________________________
>>
>
>
> That is crypt password
>
> In dbmail just put "crypt" in to the auth type field in the dbmail_users
> table
>
>

No, it's not. The password 'hello' is stored as '/V/VgOrJAelYA' as crypt in
my db...
_______________________________________________
DBmail mailing list
DBmail [at] dbmail
https://mailman.fastxs.nl/mailman/listinfo/dbmail

jesse at kci

Nov 12, 2008, 7:44 AM

Post #11 of 17 (1870 views)
Permalink

Re: Question about passwords [In reply to]

You're looking at a md5 digest vs. a md5 hash, and dbmail supports both
flavors. You're wanting to create a hash (which uses $1$somesalt$), and
you can do so with the crypt() function. See eg.
http://sial.org/howto/perl/password-crypt/ for an example.

On Wed, 2008-11-12 at 16:26 +0100, Giulio Ferro wrote:
> Jorge Bastos wrote:
> > Are you sure? I think you are wrong!
> >
> > mysql> select md5('hello');
> > +----------------------------------+
> > | md5('hello') |
> > +----------------------------------+
> > | 5d41402abc4b2a76b9719d911017c592 |
> > +----------------------------------+
> > 1 row in set (0.01 sec)
> >
> >
>
> Yes, this is correct, but it doesn't begin with "$1$" so it's different
> from the vpopmail password...
>
> This is how Vpopmail encodes "hello":
> $1$MXpNvihd$cya2POi/0xyg3eMnEQvkr1
>
>
> Dbmail can verify this password, but I don't know how, since changing the
> password with md5-hash yields:
> $1$gIj47gF0$gkXNFpjlur1xyApcwdNXu/
>
> (begins with $1$, but it's different from the vpopmail one)
>
> I hope the problem is clearer, now...
--
Jesse Norell
Kentec Communications, Inc.
jesse [at] kci
_______________________________________________
DBmail mailing list
DBmail [at] dbmail
https://mailman.fastxs.nl/mailman/listinfo/dbmail

paul at nfg

Nov 12, 2008, 7:52 AM

Post #12 of 17 (1868 views)
Permalink

Re: Question about passwords [In reply to]

Giulio Ferro wrote:
> Jorge Bastos wrote:
>>> I have imported users from an old vpopmail installation and all the
>>> passwords
>>> begin with "$1$...".
>>> If I try
>>> select md5("password")
>>>
>>>
>>
>> That means that the passwords are in CRYPT format.
>>
>>
>
> No, crypt passwords don't begin with "$", just tried...

You are wrong, Jorge is correct. md5 passwords that begin with $1$ are
indeed crypt. The format is:

"$1$<salt>$<encoded>"

so try:

select concat('$1$', <salt> , '$', encrypt(<somepassword>,<salt>));

Please read crypt(2) for more details.

--
________________________________________________________________
Paul Stevens paul at nfg.nl
NET FACILITIES GROUP GPG/PGP: 1024D/11F8CD31
The Netherlands________________________________http://www.nfg.nl
_______________________________________________
DBmail mailing list
DBmail [at] dbmail
https://mailman.fastxs.nl/mailman/listinfo/dbmail

jesse at kci

Nov 12, 2008, 7:59 AM

Post #13 of 17 (1871 views)
Permalink

Re: Question about passwords [In reply to]

On Wed, 2008-11-12 at 16:52 +0100, Paul J Stevens wrote:
>
> >>> I have imported users from an old vpopmail installation and all
> the
> >>> passwords
> >>> begin with "$1$...".
> >>> If I try
> >>> select md5("password")
> >>>
> >>>
> >>
> >> That means that the passwords are in CRYPT format.
> >>
> >>
> >
> > No, crypt passwords don't begin with "$", just tried...
>
> You are wrong, Jorge is correct.

Well, they're probably both right - crypt() can handle both formats
(md5 hash and DES hash) as long as your (g)libc supports it. But
md5("something") gives you an md5 digest value, which dbmail can use,
but is not what Giulio is needing.

> md5 passwords that begin with $1$ are
> indeed crypt. The format is:
>
> "$1$<salt>$<encoded>"
>
--
Jesse Norell
Kentec Communications, Inc.
jesse [at] kci
_______________________________________________
DBmail mailing list
DBmail [at] dbmail
https://mailman.fastxs.nl/mailman/listinfo/dbmail

auryn at zirakzigil

Nov 12, 2008, 8:44 AM

Post #14 of 17 (1867 views)
Permalink

Re: Question about passwords [In reply to]

Paul J Stevens wrote:
>>> That means that the passwords are in CRYPT format.
>>>
>>>
>>>
>> No, crypt passwords don't begin with "$", just tried...
>>
>
> You are wrong, Jorge is correct. md5 passwords that begin with $1$ are
> indeed crypt. The format is:
>
> "$1$<salt>$<encoded>"
>
> so try:
>
>
> select concat('$1$', <salt> , '$', encrypt(<somepassword>,<salt>));
>
>

Ok, sorry if I don't get everything right but this is the first time I
try this...

I want to set the password to 'hello' for my account. I set it with
dbmail-users:
dbmail-users -u <myuserid> -p md5-digest -w hello

in dbmail_users I get this password:
5d41402abc4b2a76b9719d911017c592

I can match it with md5('hello') --> no problem

Now I set the password with md5-hash:
dbmail-users -u <myuserid> -p md5-digest -w hello

In the db I get:
$1$cHk47Kk0$TjUIVx0j9o/sZ0kn/IIzD.

which changes every time I set the password to the same value ('hello').

Now let's try to match it...
select concat('$1$', 'cHk47Kk0' , '$', encrypt('hello','cHk47Kk0'));

this results in:
$1$cHk47Kk0$cHKokhNHbWpO2

which is not the same as the password stored.

What am I doing wrong?
_______________________________________________
DBmail mailing list
DBmail [at] dbmail
https://mailman.fastxs.nl/mailman/listinfo/dbmail

jesse at kci

Nov 12, 2008, 9:41 AM

Post #15 of 17 (1866 views)
Permalink

Re: Question about passwords [In reply to]

On Wed, 2008-11-12 at 17:44 +0100, Giulio Ferro wrote:
>
> select concat('$1$', 'cHk47Kk0' , '$', encrypt('hello','cHk47Kk0'));
>

The salt is the full 12 chars, $1$cHk47Kk0$, and it looks like
encrypt() already prepends it for you:

mysql> select encrypt('hello','$1$cHk47Kk0$');
+------------------------------------+
| encrypt('hello','$1$cHk47Kk0$') |
+------------------------------------+
| $1$cHk47Kk0$TjUIVx0j9o/sZ0kn/IIzD. |
+------------------------------------+
1 row in set (0.02 sec)

--
Jesse Norell
Kentec Communications, Inc.
jesse [at] kci
_______________________________________________
DBmail mailing list
DBmail [at] dbmail
https://mailman.fastxs.nl/mailman/listinfo/dbmail

auryn at zirakzigil

Nov 12, 2008, 9:58 AM

Post #16 of 17 (1871 views)
Permalink

Re: Question about passwords [SOLVED] [In reply to]

Jesse Norell wrote:
> The salt is the full 12 chars, $1$cHk47Kk0$, and it looks like
> encrypt() already prepends it for you:
>
>
> mysql> select encrypt('hello','$1$cHk47Kk0$');
> +------------------------------------+
> | encrypt('hello','$1$cHk47Kk0$') |
> +------------------------------------+
> | $1$cHk47Kk0$TjUIVx0j9o/sZ0kn/IIzD. |
> +------------------------------------+
> 1 row in set (0.02 sec)
>
>
Thanks, you saved me!

As you showed, the mysql crypt functions already build the complete
string, so
it's not necessary to concat the parts:

select encrypt('password to verify', 'string in passwd from the first $
to the last $ included')

This results, if the check is successful, with the whole passwd field in
the dbmail_users table.
_______________________________________________
DBmail mailing list
DBmail [at] dbmail
https://mailman.fastxs.nl/mailman/listinfo/dbmail

jesse at kci

Nov 12, 2008, 10:10 AM

Post #17 of 17 (1869 views)
Permalink

Re: Question about passwords [SOLVED] [In reply to]

On Wed, 2008-11-12 at 18:58 +0100, Giulio Ferro wrote:
> Jesse Norell wrote:
> > The salt is the full 12 chars, $1$cHk47Kk0$, and it looks like
> > encrypt() already prepends it for you:
> >
> >
> > mysql> select encrypt('hello','$1$cHk47Kk0$');
> > +------------------------------------+
> > | encrypt('hello','$1$cHk47Kk0$') |
> > +------------------------------------+
> > | $1$cHk47Kk0$TjUIVx0j9o/sZ0kn/IIzD. |
> > +------------------------------------+
> > 1 row in set (0.02 sec)
> >
> >
> Thanks, you saved me!
>
>
> As you showed, the mysql crypt functions already build the complete
> string, so
> it's not necessary to concat the parts:
>
> select encrypt('password to verify', 'string in passwd from the first $
> to the last $ included')

And for convenience you can actually use the hash right from the
dbmail_users table without parsing out the salt:

hash;
+------------------------------------+
| hash |
+------------------------------------+
| $1$cHk47Kk0$TjUIVx0j9o/sZ0kn/IIzD. |
+------------------------------------+
1 row in set (0.00 sec)

> This results, if the check is successful, with the whole passwd field in
> the dbmail_users table.

One other consideration is if you want to do the comparision in the
database at all. The way you have it, your plaintext password is passed
to the database, so if your database connection is susceptible to
sniffing, or you ever enable logging of queries and don't have the log
files secured, you can leak that info. The other route is to just
retrieve the hash from the database and compare it locally (in your
perl/php/whatever app).

--
Jesse Norell
Kentec Communications, Inc.
jesse [at] kci
_______________________________________________
DBmail mailing list
DBmail [at] dbmail
https://mailman.fastxs.nl/mailman/listinfo/dbmail

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads