1

Topic: iredmail SHA512 password hashing

==== Required information ====
- iRedMail version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Linux/BSD distribution name and version:
- Related log if you're reporting an issue:
==== ==== Required information ====
- iRedMail version: v0.1.5
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: Ubuntu 10.04
- Related log if you're reporting an issue:
====

According to this announcement:
http://www.iredmail.org/forum/topic4220 … ha512.html

iredmail now supports SHA512 password scheme. According to the example password for SHA512:

SSHA512: {SSHA512}FxgXDhBVYmTqoboW+ibyyzPv/wGG7y4VJtuHWrx+wfqrs/lIH2Qxn2eA0jygXtBhMvRi7GNFmL++6aAZ0kXpcy1fxag=

Am I to assume to assume that FxgXDhBVYmTqoboW part is the salt and everything after the + is the actual hash of the password?

If that's the case, I'm assuming that the password is generated using the PHP crypt function using 5000 rounds (default)? I am wondering because it looks a bit different than the PHP documentation which shows a SHA512 hash as follows:

$6$rounds=5000$usesomesillystri$D4IrlXatmP7rx3P3InaxBeoomnAihCKRVQP22JZ6EY47Wc6BkroIuUUBOov1i.S5KPgErtP/EN5mcO.ChWQW21

I would appreciate some clarification on this.

Thanks

Also, what version of iredmail do I need to be to get the SHA512 password support?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: iredmail SHA512 password hashing

Hi deeztek,

I'm not familiar with PHP, but you can check how we generate SSHA512 hash with Python code here:
https://bitbucket.org/zhb/iredadmin-ose … ult#cl-425

And here's password schemes supported in Dovecot-2:
http://wiki2.dovecot.org/Authentication/PasswordSchemes

deeztek wrote:

Also, what version of iredmail do I need to be to get the SHA512 password support?

The upcoming release, iRedAdmin-0.2.1 (open source edition). Of course upcoming iRedAdmin-Pro supports it too.

3

Re: iredmail SHA512 password hashing

i have solved it by changing the password in the conf file.

there are several conf files like

/etc/apache2/conf-available/cluebringer.conf
/etc/apache2/conf-available/awstats.conf


<Directory /usr/share/postfix-cluebringer-webui/webui>
    DirectoryIndex index.php

    AuthType Basic
    AuthName "Authentication required"
    AuthBasicProvider dbd
    AuthDBDUserPWQuery "SELECT '{SHA}yOzjrZUESCG6VIOyDSSGGFLI2xY=' as password FROM mailbox WHERE username = %s AND isglobaladmin=1 LIMIT 1"

    Require valid-user
</Directory>

in the query i have changed

 password 

to

 '{SHA}yOzjrZUESCG6VIOyDSSGGFLI2xY=' as password 

to generate this password, run this line in terminal, change YOURPASS to your password:

php -r " print_r( array('{SHA}' . base64_encode(sha1('YOURPASS', TRUE))) ); "

output:

Array
(
    [0] => {SHA}TD7tceHW69zwevKYcy3bPZBE7GA=
)

4

Re: iredmail SHA512 password hashing

The latest iRedAdmin (both open source edition and iRedAdmin-Pro) supports SSHA, SSHA512.

5

Re: iredmail SHA512 password hashing

the SSHA format doesn't use a delimiter, it knows how long the Hash is, 512 bits, so the first 512 bits after {{SSHA512}} are the hash, the rest is the salt. Obviously this is all bitwise operations so have fun

Salting

For most of the salted password schemes (SMD5, SSHA*) the salt is stored after the password hash and its length can vary. When hashing the password, append the salt after the plaintext password, e.g.: SSHA256(pass, salt) = SHA256(pass + salt) + salt.

For example with SSHA256 you know that the hash itself is 32 bytes (256 bits/8 bits per byte). Everything after that 32 bytes is the salt. For example if you have a password:


{SSHA256}SoR/78T5q0UPFng8UCXWQxOUKhzrJZlwfNtllAupAeUT+kQv
After base64 decoding it you'll see that its length is 36 bytes, so the first 32 bytes are the hash and the following 4 bytes are the salt:

length: echo SoR/78T5q0UPFng8UCXWQxOUKhzrJZlwfNtllAupAeUT+kQv|base64 -d|wc -c -> 36
hash: echo SoR/78T5q0UPFng8UCXWQxOUKhzrJZlwfNtllAupAeUT+kQv|base64 -d|dd bs=1 count=32|hexdump -C -> 4a 84 7f ef c4 f9 ab 45 0f 16 78 3c 50 25 d6 43 13 94 2a 1c eb 25 99 70 7c db 65 94 0b a9 01 e5
salt: echo SoR/78T5q0UPFng8UCXWQxOUKhzrJZlwfNtllAupAeUT+kQv|base64 -d|dd bs=1 skip=32|hexdump -C -> 13 fa 44 2f

source: http://wiki.dovecot.org/Authentication/ … es#Salting