Hello Boyan,
Right off, let me assure you I'm not terribly familiar with
cryptography, especially from programming api's, etc., so after
looking over your patch, I need an explanation. :) I agree
with you about choosing sensible and IC&S-approved values for
encryption_type, and will be happy to re-write our stuff if it
needs done. Now for my explanation: it looks like your patch
still uses crypt(passwd,salt) for the authentication, in:
strcpy(cryptres, (char *) crypt(password, cryptpass));
So - by linking libcrypto instead of libcrypt, that function
automagically handles md5 hashes? If that is the case, does
that make using mixed 'md5' and 'crypt' encryption_type's
impossible on the same system, or does the new crypt() know
how to handle both (eg. because the former's salts always start
with $1$)? And if the latter true, is there any real difference
using your patch vs. the distributed code with 'crypt' as the
encryption_type and just save an md5 hash in the passwd, other than
the trace messages (ie. link libcrypto instead of libcrypt)?
Would you want to make your changes to dbauthpgsql.c and add
support for dbmail-adduser to use/create those encryption hashes?
Also, of curiosity, do you know why an md5 checksum would
not be recommended for a password? Aside from dictionary lookup
attacks if you get the hash, is it any less secure than an md5
"hash"? (rfc 1321 says "It is conjectured that it is computationally
infeasible to produce two messages having the same message digest, or
to produce any message having a given prespecified target message
digest.") I was just wondering, because I (erroneously?) thought
we were doing the Right Thing(tm) by using md5 digests to save
password hashes (not to mention that's what you get by calling md5()
in php, perl, mysql and postgres).
Thanks,
Jesse
---- Original Message ----
From: Boyan Alexiev <dbmail@dbmail.org>
To: Blake <dbmail@dbmail.org>
Subject: [Dbmail] [Dbmail 1.0] MD5 salted hashes patch
Sent: Sat, 22 Feb 2003 02:03:29 +0200
> Hi Blake,
>
> here is the md5 hash patch (hope the diff works :)
> Let me know if any of you have suggestions/remarks.
>
> Best regards,
> Bobby
> [EMAIL PROTECTED]
>
> on Saturday, February 22, 2003, 1:47:01 AM, Blake wrote:
> B> Please do post diffs/patches!
>
> B> Boyan Alexiev wrote:
> >> ...
> >> Just let me know and I will post the code right away.
> >>
> >> Best regards,
> >> Bobby
> >> [EMAIL PROTECTED]
> >>
>
> B> _______________________________________________
> B> Dbmail mailing list
> B> Dbmail@dbmail.org
> B> https://mailman.fastxs.nl/mailman/listinfo/dbmail
>
-- End Original Message --
--
Jesse Norell
[EMAIL PROTECTED]
