postfixadmin-devel

[Postfixadmin-devel] Dovecot + Postfixadmin + doveadm pw

[Patrick H. <Pat...@gm...>]

Hi,

I have hacked the pacrypt function in functions.inc.php to support 
"dovecot pw" password verification (quick'n dirty).

I decided to use "dovecot pw -t" to simply the process of verifying a 
given password. My changes also don't break generating of new passwords.

For this, I adapted a forum's post (don't know where I found it, but its 
somehwere in the postfix forum). In this post it was also mentioned that 
it may not work with dovecot versions between 2.0.6 and 2.0.8, I think.

The ugly code is listed below (I have stripped unchanged stuff though).

Do you think there are any security relevant issues which may arise 
because of this hack?

Thanks,
Patrick

(Dovecot version 2.1, Postfixadmin version 2.3.5)

----------
function pacrypt ($pw, $pw_db="")
{
[...]
// dovecot uses salts and has its own method to valid password, so use
// it
if(empty($pw_db)) {
   $pipe = proc_open("$dovecotpw '-s' $method", $spec, $pipes);

   if (!$pipe) {
     die("can't proc_open $dovecotpw");
   } else {
     [...]
     // get rid of "\n"
     $password = substr($password, 0, strlen($password));
     [...]

// if $pw_db is given assume that a password has to be verified, do
// that here
} else {
   // use "doveadm pw" to verify a given password (don't have to deal
   // with salt and stuff
   $pipe = proc_open("$dovecotpw '-s' $method '-t' $pw_db", $spec,
             $pipes);

    if(!$pipe) {
       die("can't proc_open $dovecotpw");
    } else {
       // only one write is needed here
       fwrite($pipes[0], $pw . "\n", 1+strlen($pw)); usleep(1000);
       fclose($pipes[0]);
    }

    $password = fread($pipes[1], "200");

    // strip the verified suffix (if any, else its garbage)
    $password = substr($password, 0,
       strlen($password) - strlen(" (verified)") - 1);
}

fclose($pipes[1]);
fclose($pipes[2]);
proc_close($pipe);

// Do not strip the method prefix
$password = trim(str_replace('{' . $method . '}', '', $password));
               $passord = trim($password);
}
[...]

Re: [Postfixadmin-devel] Dovecot + Postfixadmin + doveadm pw

[Rudi F. <rud...@go...>]

As i mentioned times ago, we shouldn't use a pipe.
A Better way is to adapt the dovecot pw crypt methods to php and write a 
small php library.



Am 06.04.2012 17:29, schrieb Patrick Herrmann:
> Hi,
>
> I have hacked the pacrypt function in functions.inc.php to support
> "dovecot pw" password verification (quick'n dirty).
>
> I decided to use "dovecot pw -t" to simply the process of verifying a
> given password. My changes also don't break generating of new passwords.
>
> For this, I adapted a forum's post (don't know where I found it, but its
> somehwere in the postfix forum). In this post it was also mentioned that
> it may not work with dovecot versions between 2.0.6 and 2.0.8, I think.
>
> The ugly code is listed below (I have stripped unchanged stuff though).
>
> Do you think there are any security relevant issues which may arise
> because of this hack?
>
> Thanks,
> Patrick
>
> (Dovecot version 2.1, Postfixadmin version 2.3.5)
>
> ----------
> function pacrypt ($pw, $pw_db="")
> {
> [...]
> // dovecot uses salts and has its own method to valid password, so use
> // it
> if(empty($pw_db)) {
>     $pipe = proc_open("$dovecotpw '-s' $method", $spec, $pipes);
>
>     if (!$pipe) {
>       die("can't proc_open $dovecotpw");
>     } else {
>       [...]
>       // get rid of "\n"
>       $password = substr($password, 0, strlen($password));
>       [...]
>
> // if $pw_db is given assume that a password has to be verified, do
> // that here
> } else {
>     // use "doveadm pw" to verify a given password (don't have to deal
>     // with salt and stuff
>     $pipe = proc_open("$dovecotpw '-s' $method '-t' $pw_db", $spec,
>               $pipes);
>
>      if(!$pipe) {
>         die("can't proc_open $dovecotpw");
>      } else {
>         // only one write is needed here
>         fwrite($pipes[0], $pw . "\n", 1+strlen($pw)); usleep(1000);
>         fclose($pipes[0]);
>      }
>
>      $password = fread($pipes[1], "200");
>
>      // strip the verified suffix (if any, else its garbage)
>      $password = substr($password, 0,
>         strlen($password) - strlen(" (verified)") - 1);
> }
>
> fclose($pipes[1]);
> fclose($pipes[2]);
> proc_close($pipe);
>
> // Do not strip the method prefix
> $password = trim(str_replace('{' . $method . '}', '', $password));
>                 $passord = trim($password);
> }
> [...]
>
> ------------------------------------------------------------------------------
> For Developers, A Lot Can Happen In A Second.
> Boundary is the first to Know...and Tell You.
> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
> http://p.sf.net/sfu/Boundary-d2dvs2
> _______________________________________________
> Postfixadmin-devel mailing list
> Pos...@li...
> https://lists.sourceforge.net/lists/listinfo/postfixadmin-devel