From owner-freebsd-hackers@freebsd.org Tue Oct 29 14:48:26 2019 Return-Path: Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2DBAD158986 for ; Tue, 29 Oct 2019 14:48:26 +0000 (UTC) (envelope-from wojtek@puchar.net) Received: from puchar.net (puchar.net [194.1.144.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 472ZG15Prsz4bNG; Tue, 29 Oct 2019 14:48:25 +0000 (UTC) (envelope-from wojtek@puchar.net) Received: Received: from 127.0.0.1 (localhost [127.0.0.1]) by puchar.net (8.15.2/8.15.2) with ESMTPS id x9TEmKd4008598 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 29 Oct 2019 15:48:21 +0100 (CET) (envelope-from puchar-wojtek@puchar.net) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=puchar.net; s=default; t=1572360501; bh=D88hkcKFDO4QK8+jyhl5n50Anewj0qeNHbK6DekzgRU=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=rPL1DXoLdWMIdeEGFj2z0glHgYEct8Hg8i8NQ9vgqGN/DVquvD2pio0UT2rMMkCE3 IATzq4mZ1iaCmiaei4LenfuX+4tRDtK4VX9MLpfAogt70gHrVwB8i0+SCBX531oT3f lC0bZdvZUME0cyy2zPzuYufAv2eQyXXgFoGzByS0= Received: from localhost (puchar-wojtek@localhost) by puchar.net (8.15.2/8.15.2/Submit) with ESMTP id x9TEmKHY008595; Tue, 29 Oct 2019 15:48:20 +0100 (CET) (envelope-from puchar-wojtek@puchar.net) Date: Tue, 29 Oct 2019 15:48:20 +0100 (CET) From: Wojciech Puchar To: =?ISO-8859-15?Q?Stefan_E=DFer?= cc: freebsd-hackers@freebsd.org Subject: Re: converting password hashes In-Reply-To: <6bc3f2ec-0b2b-bbcc-2636-7130f8567bb4@freebsd.org> Message-ID: References: <1A7D3067-D5D6-47A0-9F42-FCBF8A1A856D@transactionware.com> <6bc3f2ec-0b2b-bbcc-2636-7130f8567bb4@freebsd.org> User-Agent: Alpine 2.20 (BSF 67 2015-01-07) MIME-Version: 1.0 X-Rspamd-Queue-Id: 472ZG15Prsz4bNG X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-6.00 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-0.996,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[] Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8BIT X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Oct 2019 14:48:26 -0000 >>> that doesn't >>> >>> >>> is there a way to make it work without contacting over hundred people and telling them what new password they have? >> >> If it is just MD5 with no salt, I suspect substituting “$1$$” for the “{PLAIN_MD5}” would be sufficient. > > I have not checked the code, this might even work (if there is no check > for a non-empty hash). > > But the plain MD5 hashes have to be converted from hex to base64, too, > since that is the expected encoding for $1$ password entries ... tried: $ echo -n blah|md5|xxd -r -p|base64 bx7QAqtVlYWQFOvwlRUi2Q== then i put $1$$bx7QAqtVlYWQFOvwlRUi2Q by vipw in password field tried to log in with blah password. doesn't work any more ideas? From owner-freebsd-hackers@freebsd.org Tue Oct 29 16:55:41 2019 Return-Path: Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D1BC515C874 for ; Tue, 29 Oct 2019 16:55:41 +0000 (UTC) (envelope-from SRS0=bdhP=YW=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 472d4r4rW2z3JDq; Tue, 29 Oct 2019 16:55:40 +0000 (UTC) (envelope-from SRS0=bdhP=YW=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id B62D728422; Tue, 29 Oct 2019 17:55:37 +0100 (CET) Received: from illbsd.quip.test (ip-62-24-92-232.net.upcbroadband.cz [62.24.92.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 412472840C; Tue, 29 Oct 2019 17:55:36 +0100 (CET) Subject: Re: converting password hashes To: Wojciech Puchar , =?UTF-8?Q?Stefan_E=c3=9fer?= Cc: freebsd-hackers@freebsd.org References: <1A7D3067-D5D6-47A0-9F42-FCBF8A1A856D@transactionware.com> <6bc3f2ec-0b2b-bbcc-2636-7130f8567bb4@freebsd.org> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <9952a3b8-025f-2f8a-139f-417a2b0dcec9@quip.cz> Date: Tue, 29 Oct 2019 17:55:35 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 472d4r4rW2z3JDq X-Spamd-Bar: ++++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of SRS0=bdhP=YW=quip.cz=000.fbsd@elsa.codelab.cz has no SPF policy when checking 94.124.105.4) smtp.mailfrom=SRS0=bdhP=YW=quip.cz=000.fbsd@elsa.codelab.cz X-Spamd-Result: default: False [4.08 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; IP_SCORE(0.90)[ip: (0.43), ipnet: 94.124.104.0/21(0.22), asn: 42000(3.77), country: CZ(0.09)]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[quip.cz]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(0.99)[0.986,0]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_SPAM_LONG(0.99)[0.993,0]; RCVD_IN_DNSWL_NONE(0.00)[4.105.124.94.list.dnswl.org : 127.0.10.0]; R_SPF_NA(0.00)[]; FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=bdhP=YW=quip.cz=000.fbsd@elsa.codelab.cz]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ]; FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=bdhP=YW=quip.cz=000.fbsd@elsa.codelab.cz]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Oct 2019 16:55:41 -0000 Wojciech Puchar wrote on 2019/10/29 15:48: >>>> that doesn't >>>> >>>> >>>> is there a way to make it work without contacting over hundred >>>> people and telling them what new password they have? >>> >>> If it is just MD5 with no salt, I suspect substituting “$1$$” for the >>> “{PLAIN_MD5}” would be sufficient. >> >> I have not checked the code, this might even work (if there is no check >> for a non-empty hash). >> >> But the plain MD5 hashes have to be converted from hex to base64, too, >> since that is the expected encoding for $1$ password entries ... > > tried: > > $ echo -n blah|md5|xxd -r -p|base64 > bx7QAqtVlYWQFOvwlRUi2Q== > > then i put $1$$bx7QAqtVlYWQFOvwlRUi2Q by vipw in password field > > tried to log in with blah password. doesn't work > > any more ideas? MD5 passwords are very weak and should not be used in these days. Blf-Crypt (bcrypt) or Argon2 is recommended https://doc.dovecot.org/configuration_manual/authentication/password_schemes/ There is a way you can change password hashes after successful logon with the old password hash. This How To is for passwords in MySQL but you can modify it to your environment with UNIX passwords too. https://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes Only hashes will be changed and nothing will be visible from the user's point of view, they will use their passwords. I think it is much better than using MD5 hashes forever. Miroslav Lachman