[exim] Re: Blowfish auth

Página Principal
Apagar esta mensagem
Responder a esta mensagem
Autor: Andreas Metzler
Data:  
Para: exim-users
Assunto: [exim] Re: Blowfish auth
On 2024-05-16 Jeremy Harris via Exim-users <exim-users@???> wrote:
> On 16/05/2024 18:03, Andreas Metzler via Exim-users wrote:
>> On 2024-05-16 Slavko via Exim-users <exim-users@???> wrote:
>> [...]
>>> Anyway, would be great, if exim can use system's crypto library,
>>> to support all system's password hash formats.


>> crypteq should already do that.


> Unfortunately it does not. There is specific code handling
> {md5} / {sha1} / {crypt} / {crypt16} spotted in the already-crypted
> (second) argument, deciding what sort of encryption to apply to
> the cleartext (first) argument before comparison.


> Calling a ${perl } expansion in an authenticator's server_condition option
> (thanks, Kai!) sounds like the best bet. Looks like you need
> both Crypt::Blocwfish and Crypt::CBC though.


Hello,
I think you are mistaken or misunderstood me. Yes, if the hashed string
has a specific prefix like {md5} then there is handling for a limited
set of prefixes, however for the normal format as used in /etc/passwd or
/etc/shadow that does not happen and the string is simply passed to on
crypt().

Basic test:
mkpasswd --method=descrypt blah
/t3tzhUtpOFYY
ametzler@argenau:~$ /usr/sbin/exim -be "\${if crypteq {blah}{\N$(mkpasswd --method=descrypt blah)\N}{yes}{no}}"
yes
ametzler@argenau:~$ /usr/sbin/exim -be "\${if crypteq {blah}{\N$(mkpasswd --method=descrypt wrongpasswd)\N}{yes}{no}}"
no

But this also works for newer methods:
ametzler@argenau:~$ mkpasswd --method=sha512crypt blah
$6$p0SCmfDuLuHN3LQh$tr5MOXU48Ye4c7LjLgXHO2Yi.NlhlRbOebfMj0dk/sUQmkyl6EcrF2i/wRbnGQ7jhZ/ihy7BqNqzQj.lqHOVt/
ametzler@argenau:~$ /usr/sbin/exim -be "\${if crypteq {blah}{\N$(mkpasswd --method=sha512crypt blah)\N}{yes}{no}}"
yes
ametzler@argenau:~$ /usr/sbin/exim -be "\${if crypteq {blah}{\N$(mkpasswd --method=bcrypt blah)\N}{yes}{no}}"
yes
ametzler@argenau:~$ /usr/sbin/exim -be "\${if crypteq {blah}{\N$(mkpasswd --method=gost-yescrypt blah)\N}{yes}{no}}"
yes

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/