On Fri, May 7, 2010 at 15:11, Pascal Volk < user+dove...@localhost.localdomain.org<user%2bdove...@localhost.localdomain.org> > wrote:
> On 05/07/2010 08:16 PM Phil Howard wrote: > > I've decided that having users supply cleartext passwords for me to > encrypt > > and encode is a bad idea, anyway. So maybe I won't need dovecotpw. The > > idea is that users supply an already-encrypted password. Most of the > users > > can fetch their login password from /etc/shadow on their own computer. > > > > Wiki page http://wiki.dovecot.org/Authentication/PasswordSchemesindicates > > that scheme name CRYPT is the one that uses the libc crypt() function. > But > > it also says it uses no more than 8 characters. Then there is MD5-CRYPT. > > But that doesn't call crypt(), I presume. No limit on password size is > > indicated. But this at least looks like SOME of the encrypted passwords > I > > have. > > > > Other passwords I have have ids indicating SHA-256 and SHA-512. Here is > an > > example from /etc/shadow that encrypted the clear password > > "dovecotandpostfix" (in case it is necessary to test it): > > > > > $6$IwZzpjjj$p1VrkxQmgmTED8iQnQrV3sVEZpBmw2N8oD1ykOguXB5tf8aahICesX0TF6.VMThIW2QFs1buHjT3eDtnaAFhF1 > > > > The big question is, what scheme name should I use for these passwords? > I > > can, of course, consider the id (6 in the above example, suggesting > SHA-512) > > if there is one (so far all are like this). But the other consideration > is > > most of the passwords are longer than 8, some longer than 12, characters. > > So apparently CRYPT can't be used in those cases (so I can't have the > > automatic identification of crypt() to detect the scheme). > > > > What scheme would I use for the various passwords? What scheme would be > > used for the above example for starters? What if the id is 5 or 1 (the > ones > > documented for the crypt() call)? > > > > {CRYPT}, for SHA-256 and SHA-512. If your {,g}libc supports it, Dovecot > can use it. > OK, I looked in the source code and I cannot find any 8 character limit. So I'm now guessing that the documentation was really referring to the legacy algorithm in crypt(), instead of the CRYPT scheme interface to it in Dovecot.
