Linode Forum
https://forum.linode.com/

Authentication problem with postfix/dovecot/mysql install
https://forum.linode.com/viewtopic.php?f=11&t=9649		 Page 1 of 1
Author:  alexbrand [ Sat Dec 22, 2012 1:55 pm ]
Post subject:  Authentication problem with postfix/dovecot/mysql install
I installed postfix and dovecot on my ubuntu 12.04 following the guide at http://library.linode.com/email/postfix/dovecot-mysql-ubuntu-10.04-lucid

I then installed roundcube, and when testing it out, I realized that I misspelled the last character of the password. To my surprise, I was logged in.

I decided to further test this problem and it seems that anything after the 8th character is being ignored.

I created an account using:

Code:
insert into users(email, password) values ('test@example.com', ENCRYPT('password123'));


and was able to log into the account using password: password

Then I created a second account, (I though that maybe the numbers were being ignored)

Code:
insert into users(email, password) values ('test@example.com', ENCRYPT('p1ssword123'));


I tried logging in with password => password and it didn't work.

But I was, again, able to login with the password => p1ssword and password => p1sswordFOO

Any help would be appreciated to fix this security issue
Author:  pclissold [ Sun Dec 23, 2012 10:30 am ]
Post subject:  Re: Authentication problem with postfix/dovecot/mysql instal
MySQL uses the underlying system crypt() function. Man page says only the first eight characters are used. No easy fix.
Author:  caker [ Sun Dec 23, 2012 10:41 am ]
Post subject:  Re: Authentication problem with postfix/dovecot/mysql instal
ENCRYPT('cleartextpassword', '$5$random16charsalt'). $5$ would get you sha-256, for example.

-Chris
Author:  sweh [ Sun Dec 23, 2012 11:25 am ]
Post subject:  Re: Authentication problem with postfix/dovecot/mysql instal
pclissold wrote:
MySQL uses the underlying system crypt() function. Man page says only the first eight characters are used. No easy fix.

You should read futher

Code:
NOTES
   Glibc Notes
       The glibc2 version of  this  function  supports  additional  encryption
       algorithms.

       If  salt is a character string starting with the characters "$id$" fol-
       lowed by a string terminated by "$":

              $id$salt$encrypted
....
              ID  | Method
              ---------------------------------------------------------
              1   | MD5
              2a  | Blowfish (not in mainline glibc; added in some
                  | Linux distributions)
              5   | SHA-256 (since glibc 2.7)
              6   | SHA-512 (since glibc 2.7)
....
       The  characters  in  "salt"  and  "encrypted"  are  drawn  from the set
       [a-zA-Z0-9./].  In the MD5 and SHA implementations the  entire  key  is
       significant (instead of only the first 8 bytes in DES).


It's really only the default legacy crypt DES algorithm that's limited to 8 characters.
Page 1 of 1 All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/