Navigation

gring · #1 9th April 2009, 01:05

Hi,

Where can I set the hash algorithm used to store the mailusers passwords (and ftp users too)?

I'd like to store them in clear instead of crypt, for future migrations.

And by the way, where can I find a list of the "special words" ( [domain], [client_id] etc...) that are usable in the server config menu?

Thanks

till · #2 9th April 2009, 09:14

Quote:

Where can I set the hash algorithm used to store the mailusers passwords (and ftp users too)?

The algorithm can be set in the form definition file of the iterface form, e.g. mail user form.

Quote:

I'd like to store them in clear instead of crypt, for future migrations.

It is a very big security risk and you should not do this.

Quote:

And by the way, where can I find a list of the "special words" ( [domain], [client_id] etc...) that are usable in the server config menu?

there is no such list.

gring · #3 10th April 2009, 00:57

Hi Till, Thanks for your answer.

For those who want to do the same thing, look for the file

mail_user.tform.php

and then, inside the file, look for "CRYPT" and replace it by "CLEARTEXT"

Now, I will try to make the list of the special words and post it in the forum.

Thanks!

gring · #4 18th April 2009, 18:55

note that, when, using courier, you have to:

edit courier's mysql auth config file (/etc/courier/authmysqlrc in Debian / Ubuntu)

comment the line "MYSQL_CRYPT_PWFIELD password"
and uncomment the line "MYSQL_CLEAR_PWFIELD password"

gring · #5 22nd July 2009, 01:55

Hum...This creates a problem with Postfix sasl auth.

the file /etc/postfix/sasl/smtpd.conf contains the configuration for smtp authentification, but I can't find where the mail_user 's password hash algorithm is defined.

gring · #6 22nd July 2009, 03:14

one dirty way would be to modify the sql command in /etc/postfix/sasl/smtpd.conf to make mysql crypt the password when asked for it, but how do I do that? encrypt(password) doesn't seem to work...

help!

gring · #7 22nd July 2009, 03:21

setting "crypt=0" in the two lines of /etc/pam.d/smtp seems to do the trick...

till · #8 22nd July 2009, 08:32

Please be aware that this is very insecure! ISPConfig encrypts the passwords with crypt and salt to ensure that nobody can decrypt them, if you store them unenecrypted and someone hacks your server he weill get all passwords in a format that he might use to attack other services as many poeple tend to use the same password for different websites.

gring · #9 15th January 2010, 03:46

Hum, I tried to install the roundcube password plugin, but the passwords are stored encrypted through it.

What should I change so the mail_user passwords are stored in CLEARTEXT? Is it in ./interface/lib/classes/remoting_lib.inc.php ?

Thanks!

till · #10 15th January 2010, 10:58

You should never store user passwords in cleartext. Storing passwords in cleartext is a security nightmare, so never do this. Users tend to use the same password for a lot of things, so if someone might hack your server or get access to your database, then he might get passwords for e.g. paypal or other payment realted things too in cleartext.

Navigation

Facebook

News

Recent comments

Newsletter