[tpop3d-discuss]auth-flatfile md5 hash incorrect length

Wed, 11 Aug 2004 14:11:52 -0400

I am having problems getting auth-flatfile authentication working.

I am running Fedora Core 2 on a remote dedicated server -- 
configuration details are at the end of this message.  I am trying to 
set up auth-flatfile for about 8 virtual mail domains, each with only 
a handful of users.

My goal is to write a simple bash script to facilitate password 
maintenance.  Yes, I know there are some Perl scripts about, but I 
would like to be able to do this in bash.  :-)

I set up a test account in one domain -- mike@advomation.com -- and 
used the following command to create an MD5 hashed password:

openssl passwd -1 -salt pigflies password

Yes, I know that my salt is not particularly random, but I'm just 
trying to debug my set-up.  No, that's not the real password.  I 
chose md5 rather than crypt because crypt (at least in the openssl 
implementation) insisted on truncating passwords longer than 8 
characters, which sort of defeats the purpose of longer passwords.

Having seen a message in this list's archives from Paul Makepeace 
regarding the format tpop3d expects of the authentication flatfile 
(notwithstanding the inconsistent description in the tpop3.conf man 
page), I wrote the following entry into my auth-flatfile password 
file:

mike@advomation.com:{md5}$1$pigflies$I3P9Sz4rq9LFw3zE/M1nr1:5000:5000:Mike 
Pinkerton:/var/spool/mail/vhosts/advomation.com/mike:/sbin/nologin

I figured that if I need to have all those colons to keep tpop3d 
happy, I might as well keep track of mail spools with them.  The uid 
and gid are Postfix's recommended values for the mailboxes it writes.

I started tpop3d with the following command:

tpop3d -f /etc/tpop3d.d/tpop3d.conf -p /var/run/tpop3d.pid -dv > 
/tmp/tpop3d.debug 2>&1

The full standard error output is at the end of this message (except 
that I munged the password in the "log bad passwords" line -- the 
password that it reported as being used was the correct password for 
this test account).

The line in the standard error output that strikes me is:

password: [mike@advomation.com; mike@advomation.com] has password 
type md5, but hash is of incorrect length

What length does tpop expect the hash to be?  If openssl doesn't 
create acceptable md5 password hashes, what command line tool does?

Any help figuring out what I'm doing wrong would be appreciated.

*****  Configuration details  *****

Linux 2.6.6-1.435.2.3 i686 i386

openssl 0.9.7a (from Fedora Core RPMs)

Postfix 2.0.18-4 (from Fedora Core RPMs)

tpop3d 1.5.3 (from tarball)

Available authentication drivers:

   auth-flatfile    Uses /etc/passwd-style flat files

Available mailbox drivers:

   bsd              BSD (`Unix') mailspool, with index saving support
   empty            Empty mailbox

Enabled features:

   Mass virtual hosting
   Suppress C-client metadata
   TLS

*****  Standard error output  *****

experimental BSD mailbox metadata cache enabled
parse_listeners: listening on address 66.132.146.110:110; TLS mode STLS
parse_listeners: listening on address 66.132.146.110:995; TLS mode immediate
/etc/tpop3d.d/tpop3d.conf: I hope you realise that use of the 
log-bad-passwords option is an invasion of privacy
1 authentication drivers successfully loaded
net_loop: tpop3d version 1.5.3 successfully started
connection_sendresponse: client 
[6]66.245.111.103/postal.advomation.com: sent `+OK 
<acf80d227c74d6a26b8ced73709cfba5@postal.advomation.com>'
listeners_post_select: client 
[6]66.245.111.103/postal.advomation.com: connected to local address 
66.132.146.110:995
ioabs_tls_post_select: client 
[6]66.245.111.103/postal.advomation.com: SSL_accept: tlsv1 alert 
unknown ca; closing connection
connections_post_select: client 
[6]66.245.111.103/postal.advomation.com: disconnected; 0/0 bytes 
read/written
connection_sendresponse: client 
[6]66.245.111.103/postal.advomation.com: sent `+OK 
<5cab011e6709b40f8f075cc6029fb129@postal.advomation.com>'
listeners_post_select: client 
[6]66.245.111.103/postal.advomation.com: connected to local address 
66.132.146.110:995
connection_parsecommand: client 
[6]66.245.111.103/postal.advomation.com: received `APOP 
mike@advomation.com 0d8be184620fe8be6ff987234495f35f'
password: attempted APOP login by [mike@advomation.com; 
mike@advomation.com], who does not have a plaintext password
auth_flatfile_new_apop: failed login for [mike@advomation.com; 
mike@advomation.com]
connection_sendresponse: client 
[6]66.245.111.103/postal.advomation.com: sent `-ERR Lies! Try again!'
connection_do: client `[6]66.245.111.103/postal.advomation.com': 
username `mike@advomation.com': 1 authentication failures
connection_parsecommand: client 
[6]66.245.111.103/postal.advomation.com: received `USER 
mike@advomation.com'
connection_sendresponse: client 
[6]66.245.111.103/postal.advomation.com: sent `+OK Tell me your 
password.'
connection_parsecommand: client 
[6]66.245.111.103/postal.advomation.com: received `PASS [...]'
authcache_new_user_pass: no entry for [mike@advomation.com; 
mike@advomation.com]
password: [mike@advomation.com; mike@advomation.com] has password 
type md5, but hash is of incorrect length
auth_flatfile_new_user_pass: failed login for [mike@advomation.com; 
mike@advomation.com]
connection_do: client `[6]66.245.111.103/postal.advomation.com': 
username `mike@advomation.com': failing password is `XXXXXXXXX'
connection_sendresponse: client 
[6]66.245.111.103/postal.advomation.com: sent `-ERR Lies! Try again!'
connection_do: client `[6]66.245.111.103/postal.advomation.com': 
username `mike@advomation.com': 2 authentication failures
connection_parsecommand: client 
[6]66.245.111.103/postal.advomation.com: received `QUIT'
connection_sendresponse: client 
[6]66.245.111.103/postal.advomation.com: sent `+OK Fine. Be that way.'
ioabs_tls_shutdown: client [6]66.245.111.103/postal.advomation.com: 
underlying connection closed by peer during shutdown
connections_post_select: client 
[6]66.245.111.103/postal.advomation.com: disconnected; 107/160 bytes 
read/written

-- 
Mike Pinkerton