1

Topic: Default Password Scheme - Can It Be Set to MD5

I noticed the "default_pw_scheme" option in /usr/share/apache2/iredadmin/settings.ini:

# Default password scheme: SSHA, PLAIN.
# SSHA is recommended.
default_pw_scheme = SSHA

Can MD5 be used also or just SSHA and PLAIN?

2

Re: Default Password Scheme - Can It Be Set to MD5

Just SSHA, SHA (SSHA is better), PLAIN.

3

Re: Default Password Scheme - Can It Be Set to MD5

ZhangHuangbin wrote:

Just SSHA, SHA (SSHA is better), PLAIN.

Thanks.  If I were to change it to SHA, I'd just need to restart Apache to make the change take place?

4

Re: Default Password Scheme - Can It Be Set to MD5

Don't use SHA. SSHA is better than SHA (SSHA = SHA + salt)

5

Re: Default Password Scheme - Can It Be Set to MD5

ZhangHuangbin wrote:

Don't use SHA. SSHA is better than SHA (SSHA = SHA + salt)

Thanks.  I know it's better.  I'm just testing something with one user account, temporarily.

So, restarting Apache should implement the change?  If so, I tried that and it didn't work.

6

Re: Default Password Scheme - Can It Be Set to MD5

iredmailnerd wrote:

So, restarting Apache should implement the change?  If so, I tried that and it didn't work.

Which version of iRedAdmin-Pro are you using? I need this version number to confirm & fix it.

Thanks very much for your feedback. smile

7

Re: Default Password Scheme - Can It Be Set to MD5

ZhangHuangbin wrote:
iredmailnerd wrote:

So, restarting Apache should implement the change?  If so, I tried that and it didn't work.

Which version of iRedAdmin-Pro are you using? I need this version number to confirm & fix it.

Thanks very much for your feedback. smile


You're welcome.  smile  I'm using version 1.2.0.

8

Re: Default Password Scheme - Can It Be Set to MD5

I tested SSHA, SHA, PLAIN with setting in settings.ini like below, all are ok for me.

[general]
...
default_pw_scheme = SHA

After changed password, you can verify it by accessing this URL:
http://your_server.com/iredadmin/export … domain.ltd

It will show raw LDIF data of user "username@domain.ltd", you can verify the value of attribute "userPassword". If it's SHA, it will be something like this:

userPassword: {SHA}P0XUy2zIiczjpwUU8c/CWFrEWj8=

9 (edited by iredmailnerd 2010-10-11 10:06:06)

Re: Default Password Scheme - Can It Be Set to MD5

I have the following setting:

# Default password scheme: SSHA, PLAIN.
# SSHA is recommended.
default_pw_scheme = SHA

When I save the test user's password, I see the following output in the LDIF info displayed the URL:

....
uid: test3
userPassword: {SSHA}7/nxSBIiyutGm76YCvaaa2td4Y04ix+EBYFS+A==

Is there anything I need to do other than restart Apache?

10

Re: Default Password Scheme - Can It Be Set to MD5

That's strange. Restarting apache is enough.
I tested it with v1.2.0 too, but works for me here.

Can you please try below commands and paste output here:

# cd /path/to/iRedAdmin-Pro-1.2.0/
# grep -ir 'generatepasswd' *

11

Re: Default Password Scheme - Can It Be Set to MD5

ZhangHuangbin wrote:

grep -ir 'generatepasswd' *


Aha!!

libs/ldaplib/ldaputils.py:def generatePasswd(password, pwscheme='SSHA'):
libs/ldaplib/user.py:     self.passwd = ldaputils.generatePasswd(result[1], pwscheme=cfg.general.get('default_pw_scheme', 'SSHA'))
libs/ldaplib/user.py:     self.passwd = ldaputils.generatePasswd(result[1], pwscheme=cfg.general.get('default_pw_scheme', 'SSHA'))
libs/ldaplib/admin.py:  self.passwd = ldaputils.generatePasswd(result[1], pwscheme=cfg.general.get('default_pw_scheme', 'SSHA'))

12

Re: Default Password Scheme - Can It Be Set to MD5

Function "generatePasswd" is defined in libs/ldaplib/ldaputils.py, invoked in libs/ldaplib/user.py and admin.py.

iRedAdmin will read "default_pw_scheme" from settings.ini, if not defined, it will use 'SSHA'. So the source code is ok. Not sure why it doesn't work for you. sad

13

Re: Default Password Scheme - Can It Be Set to MD5

Hi

Did you ever find a solution to this? I have the same problem but using iRedAdmin-Pro-LDAP-1.6.1.
I added default_pw_scheme = PLAIN to settings.ini and restarted apache2 but passwords for new users are still SSHA.
Suggestions?

Cheers!
// Tomas

14 (edited by mike.f 2011-07-12 15:17:50)

Re: Default Password Scheme - Can It Be Set to MD5

you have to change your password after that change as the old hash is stored

to be shure restart openldap

15

Re: Default Password Scheme - Can It Be Set to MD5

Spångberg wrote:

I added default_pw_scheme = PLAIN to settings.ini and restarted apache2 but passwords for new users are still SSHA.

'default_pw_scheme' in settings.ini is deprecated, update libs/settings.py instead:

# Default password scheme: SSHA, SHA, PLAIN.
# Must be a string. SSHA is recommended.
# To store passwords in plain text, please change below setting to 'PLAIN',
# no addition changes are required in iredmail, dovecot will detect password
# scheme automatically.
LDAP_DEFAULT_PASSWD_SCHEME = 'SSHA'

If you're using iRedAdmin-Pro-MySQL, update below setting in libs/settings.py instead:

# Default password scheme: MD5, PLAIN.
#
# Passwords of new accounts (admin, user) will be crypted by specified scheme.
# - MD5: MD5 based salted password hash. e.g. '$1$ozdpg0V0$0fb643pVsPtHVPX8mCZYW/'.
# - PLAIN: Plain text.
#
# Reference:
#   - For dovecot-1.1.x, 1.2.x: http://wiki.dovecot.org/Authentication/PasswordSchemes
#   - For dovecot-2.x: http://wiki2.dovecot.org/Authentication/PasswordSchemes
SQL_DEFAULT_PASSWD_SCHEME = 'MD5

# Prefix '{PLAIN}' in plain passwords: True, False.
#
# Required by dovecot if you want to store passwords as plain text.
# Password scheme can be overridden for each password by prefixing it with
# {SCHEME}, for example: {PLAIN}my_password.
# It's recommended to prefix it if you have some passwords stored in MD5 or
# other scheme, so that dovecot can detect scheme for each passwords.
SQL_PASSWD_PREFIX_SCHEME = True

16 (edited by Spångberg 2011-07-12 21:45:05)

Re: Default Password Scheme - Can It Be Set to MD5

Thanks!
Now I just need a way to fetch the plain text password from the console (with ldapsearch?) but maybe that's another topic..

// Tomas

17 (edited by Spångberg 2011-07-12 21:45:24)

Re: Default Password Scheme - Can It Be Set to MD5

Hm.. next problem..
Now I can't change passwords from Round Cube, is there a way to make Round Cube to use plain text as well?

Edit: I can change it but it changes back to SSHA

// Tomas

18

Re: Default Password Scheme - Can It Be Set to MD5

Got it to work..

I changed:
$rcmail_config['password_ldap_encodage'] = "ssha";
to
$rcmail_config['password_ldap_encodage'] = "clear";

in /usr/share/apache2/roundcubemail-0.3.1/plugins/password/config.inc.php

Is that the best way to do it?

Regards // Tomas