Re: [Postfixadmin-devel] Dovecot + Postfixadmin + doveadm pw

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

As i mentioned times ago, we shouldn't use a pipe.
A Better way is to adapt the dovecot pw crypt methods to php and write a 
small php library.

Am 06.04.2012 17:29, schrieb Patrick Herrmann:
> Hi,
>
> I have hacked the pacrypt function in functions.inc.php to support
> "dovecot pw" password verification (quick'n dirty).
>
> I decided to use "dovecot pw -t" to simply the process of verifying a
> given password. My changes also don't break generating of new passwords.
>
> For this, I adapted a forum's post (don't know where I found it, but its
> somehwere in the postfix forum). In this post it was also mentioned that
> it may not work with dovecot versions between 2.0.6 and 2.0.8, I think.
>
> The ugly code is listed below (I have stripped unchanged stuff though).
>
> Do you think there are any security relevant issues which may arise
> because of this hack?
>
> Thanks,
> Patrick
>
> (Dovecot version 2.1, Postfixadmin version 2.3.5)
>
> ----------
> function pacrypt ($pw, $pw_db="")
> {
> [...]
> // dovecot uses salts and has its own method to valid password, so use
> // it
> if(empty($pw_db)) {
>     $pipe = proc_open("$dovecotpw '-s' $method", $spec, $pipes);
>
>     if (!$pipe) {
>       die("can't proc_open $dovecotpw");
>     } else {
>       [...]
>       // get rid of "\n"
>       $password = substr($password, 0, strlen($password));
>       [...]
>
> // if $pw_db is given assume that a password has to be verified, do
> // that here
> } else {
>     // use "doveadm pw" to verify a given password (don't have to deal
>     // with salt and stuff
>     $pipe = proc_open("$dovecotpw '-s' $method '-t' $pw_db", $spec,
>               $pipes);
>
>      if(!$pipe) {
>         die("can't proc_open $dovecotpw");
>      } else {
>         // only one write is needed here
>         fwrite($pipes[0], $pw . "\n", 1+strlen($pw)); usleep(1000);
>         fclose($pipes[0]);
>      }
>
>      $password = fread($pipes[1], "200");
>
>      // strip the verified suffix (if any, else its garbage)
>      $password = substr($password, 0,
>         strlen($password) - strlen(" (verified)") - 1);
> }
>
> fclose($pipes[1]);
> fclose($pipes[2]);
> proc_close($pipe);
>
> // Do not strip the method prefix
> $password = trim(str_replace('{' . $method . '}', '', $password));
>                 $passord = trim($password);
> }
> [...]
>
> ------------------------------------------------------------------------------
> For Developers, A Lot Can Happen In A Second.
> Boundary is the first to Know...and Tell You.
> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
> http://p.sf.net/sfu/Boundary-d2dvs2
> _______________________________________________
> Postfixadmin-devel mailing list
> Pos...@li...
> https://lists.sourceforge.net/lists/listinfo/postfixadmin-devel