Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 9th April 2009, 02:05
gring gring is offline
Member
 
Join Date: Mar 2009
Posts: 53
Thanks: 2
Thanked 3 Times in 3 Posts
Default change mailuser password hash algorithm

Hi,

Where can I set the hash algorithm used to store the mailusers passwords (and ftp users too)?

I'd like to store them in clear instead of crypt, for future migrations.

And by the way, where can I find a list of the "special words" ( [domain], [client_id] etc...) that are usable in the server config menu?

Thanks
Reply With Quote
Sponsored Links
  #2  
Old 9th April 2009, 10:14
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 37,036
Thanks: 841
Thanked 5,656 Times in 4,464 Posts
Default

Quote:
Where can I set the hash algorithm used to store the mailusers passwords (and ftp users too)?
The algorithm can be set in the form definition file of the iterface form, e.g. mail user form.

Quote:
I'd like to store them in clear instead of crypt, for future migrations.
It is a very big security risk and you should not do this.

Quote:
And by the way, where can I find a list of the "special words" ( [domain], [client_id] etc...) that are usable in the server config menu?
there is no such list.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 10th April 2009, 01:57
gring gring is offline
Member
 
Join Date: Mar 2009
Posts: 53
Thanks: 2
Thanked 3 Times in 3 Posts
Default

Hi Till, Thanks for your answer.

For those who want to do the same thing, look for the file

mail_user.tform.php

and then, inside the file, look for "CRYPT" and replace it by "CLEARTEXT"

Now, I will try to make the list of the special words and post it in the forum.

Thanks!
Reply With Quote
  #4  
Old 18th April 2009, 19:55
gring gring is offline
Member
 
Join Date: Mar 2009
Posts: 53
Thanks: 2
Thanked 3 Times in 3 Posts
Default

note that, when, using courier, you have to:

edit courier's mysql auth config file (/etc/courier/authmysqlrc in Debian / Ubuntu)

comment the line "MYSQL_CRYPT_PWFIELD password"
and uncomment the line "MYSQL_CLEAR_PWFIELD password"
Reply With Quote
  #5  
Old 22nd July 2009, 02:55
gring gring is offline
Member
 
Join Date: Mar 2009
Posts: 53
Thanks: 2
Thanked 3 Times in 3 Posts
Default

Hum...This creates a problem with Postfix sasl auth.

the file /etc/postfix/sasl/smtpd.conf contains the configuration for smtp authentification, but I can't find where the mail_user 's password hash algorithm is defined.
Reply With Quote
  #6  
Old 22nd July 2009, 04:14
gring gring is offline
Member
 
Join Date: Mar 2009
Posts: 53
Thanks: 2
Thanked 3 Times in 3 Posts
Default

one dirty way would be to modify the sql command in /etc/postfix/sasl/smtpd.conf to make mysql crypt the password when asked for it, but how do I do that? encrypt(password) doesn't seem to work...

help!
Reply With Quote
  #7  
Old 22nd July 2009, 04:21
gring gring is offline
Member
 
Join Date: Mar 2009
Posts: 53
Thanks: 2
Thanked 3 Times in 3 Posts
Default

setting "crypt=0" in the two lines of /etc/pam.d/smtp seems to do the trick...
Reply With Quote
  #8  
Old 22nd July 2009, 09:32
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 37,036
Thanks: 841
Thanked 5,656 Times in 4,464 Posts
Default

Please be aware that this is very insecure! ISPConfig encrypts the passwords with crypt and salt to ensure that nobody can decrypt them, if you store them unenecrypted and someone hacks your server he weill get all passwords in a format that he might use to attack other services as many poeple tend to use the same password for different websites.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #9  
Old 15th January 2010, 04:46
gring gring is offline
Member
 
Join Date: Mar 2009
Posts: 53
Thanks: 2
Thanked 3 Times in 3 Posts
Default

Hum, I tried to install the roundcube password plugin, but the passwords are stored encrypted through it.

What should I change so the mail_user passwords are stored in CLEARTEXT? Is it in ./interface/lib/classes/remoting_lib.inc.php ?

Thanks!
Reply With Quote
  #10  
Old 15th January 2010, 11:58
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 37,036
Thanks: 841
Thanked 5,656 Times in 4,464 Posts
 
Default

You should never store user passwords in cleartext. Storing passwords in cleartext is a security nightmare, so never do this. Users tend to use the same password for a lot of things, so if someone might hack your server or get access to your database, then he might get passwords for e.g. paypal or other payment realted things too in cleartext.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Change Password Page Polk Feature Requests 1 23rd March 2009 16:56
Procedure: changing a mailuser password Hans General 14 22nd September 2008 18:21
How to change MySQL root password? wpwood3 Installation/Configuration 1 9th October 2007 03:55
How to install BFD (Brute Force Detection) domino Tips/Tricks/Mods 9 31st March 2006 23:40
How to prevent mailuser to change his password? rosa hsiao General 4 28th December 2005 04:53


All times are GMT +2. The time now is 08:38.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.