Roundcube Community Forum

Third Party Contributions => API Based Plugins => Topic started by: AndyBCN on April 04, 2018, 01:08:31 PM

Title: Password plugin MD5 format
Post by: AndyBCN on April 04, 2018, 01:08:31 PM
Hi all!

  I have a small issue when using the password plugin in my environment when using the SQL backend with MySQL. Password plugin version is 4.2. Basically the issue is that I'm trying to store the passwords as MD5 and normally the password is stored as a 32 character string, the password plugin is setting the value as a 24 character string. This works ok for Dovecot auth but I also require Exim auth which breaks. Can I get the password plugin to use 32 character strings? My current password plugin config is:

Code: [Select]
$config['password_algorithm'] = 'md5';
$config['password_query'] = 'UPDATE popbox SET password_hash=%P where local_part=%l and domain_name =%d';
$config['password_crypt_hash'] = 'md5'
$config['password_idn_ascii'] = false;
$config['password_hash_algorithm'] = 'sha1';
$config['password_hash_base64'] = false;

I've also tried setting the password_hash value as "%n" but that creates a 40 character string with no {md5} prefix and also with base64 set to true for both %n and %P  but no joy.

thanks! Andy.

PS also tried %c
Title: Re: Password plugin MD5 format
Post by: SKaero on April 04, 2018, 03:09:02 PM
Well first I have to point out what your doing is very insecure, md5 is long past being secure and is easily broken. I think what you want is 'UPDATE popbox SET password_hash=md5(%p) where local_part=%l and domain_name =%d' if you need the {md5} prefix then you can add it before the md5 function.
Title: Re: Password plugin MD5 format
Post by: AndyBCN on April 05, 2018, 02:45:41 AM
Thanks very much, I did need the prefix so this is working for me:

password_hash=CONCAT("{md5}",md5(%p))

I appreciate MD5 is insecure, but its in the same boat as the shadow passwords on many UNIX and Linux systems, its only a problem if someone hacks the server. Communications are all TLS,

thanks, Andy.

PS although, yes thanks for the nudge I should look to update the hash format
Title: Re: Password plugin MD5 format
Post by: SKaero on April 05, 2018, 03:49:10 AM
You can change what the shadow file is using as well, to my knowledge no Unix system has shipped with MD5 out of the box for a very long time.