[Vmail-discuss] migrating MD5 hash used in /etc/shadow to vmail-sql

Paul Warren pdw@xxxxxxxxxxxxx
Fri, 18 May 2001 11:48:15 +0100

On Fri, May 18, 2001 at 11:37:08AM +0100, Chris Lightfoot wrote:
> > Possibly.  I think that implementing a straight "use the system crypt()"
> > is a useful thing to do.  It just means that people who don't have smart
> > crypt()s won't be able to cut and paste directly from /etc/shadow
> > (assuming that shadow is using something other than system crypt())
> On the argument that crypt_md5 passwords are superior to
> ours, we should make them available everywhere :)

What do you mean by "ours" ?  Our straight MD5 passwords?  If so, why
are they better?

> > OK.  The libc info page is the only page I have found that documents
> > what a valid salt is if you want MD5 passwords.
> I expect the code does too, though I haven't checked in
> detail :)

Seems likely.

> > > > and anything produced by crypt() is stored as:
> > > > 
> > > >     {crypt}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> > > 
> > > ... with the proviso that on non-Linux systems we'll need
> > > to look for {crypt}$1$...$.
> > 
> > Why?  IMHO, if it starts {crypt} we just chuck it at crypt().
> No, the way magic smart crypt works is to use the $1$ as a
> magic number, so on non-Linux systems we need to check for
> this explicitly.

Yeah.  My point was that if a password is prefixed with {crypt} it
should mean "this password was created by and can be checked with the
system crypt()".  So we really don't care what comes after the {crypt},
we just chuck it at crypt().  If it happens that the password is MD5
crypt'ed rather than UNIX-crappy-crypted then all the better.  Doing
this means that people on crummy UNIX systems that still haven't
developed shadow passwords and better crypt() functions can cut and
paste passwords from /etc/passwd.

We may also want to implement a {crypt-md5}...

> > Excellent.  I believe this needs to go in:
> > 
> > tpop3d
> > VE-passwd
> > cgi-bin/setpasswd (or whatever it's called)
> > 
> > I'll do the Perl if you don't beat me to it (I'm pretty busy this w/e)
> OK. Dunno when I'll get round to that, but I'll probably
> do the tpop3d stuff this pm.