Dec 29, 2023: iRedMail-1.6.8 has been released.

**der.sascha** · 2015-10-08 04:39:00

der.sascha
Member
Offline

Registered: 2015-10-04
Posts: 7

Topic: iredadmin: trouble with password hash prefix

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.2
- Linux/BSD distribution name and version: FreeBSD 9.3-RELEASE-p25 (FreeNAS Jail)
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB 5.5.44
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? nope
- Related log if you're reporting an issue: -
====

I just installed iredmail and I am pretty happy with it but one thing drives me nuts. Iredadmin seems to be unable interprete roundcubes password hash prefix for Blowfish (BLF-CRYPT) properly. In default both tools are supposed to use blowfish. When the password is set via iredadmin webui the prefix {CRYPT} is used and I am able to authenticate with the same user @ Roundcube. When the password is set via Roundcube the prefix is set to {BLF-CRYPT} and iredadmin seems to have no clue how to deal with it (webui returns with "Error: Username or password is incorrect."). Changing the password hash manually to "{CRYPT}..." in the database recovers access to iredadmin.
I tried to teach iredadmin the new prefix via adding the line
' or challenge_password.startswith('{BLF-CRYPT}$2a$') \'

to the block
if challenge_password.startswith('{CRYPT}$2a$') \
or challenge_password.startswith('{CRYPT}$2b$') \
# added new line here
or challenge_password.startswith('{crypt}$2a$') \
or challenge_password.startswith('{crypt}$2b$'):
challenge_password = challenge_password[7:]

in file /usr/local/www/iredadmin/libs/iredutils.py
but this did not help. I also tried to disable the password prefix for both tools but only Roundcube does care about the setting change. Iredadmin keeps writing {CRYPT} prefixes to password entries of the mailbox table (I added 'SQL_PASSWD_PREFIX_SCHEME = false' to the end of iredadmins settings.py, restarted nginx, iredadp and reloaded the iredadmin webui afterwards).

Maybe its just a layer eight/configuration issue but i am running out of ideas and would be really thankful for any useful hint.

P.S.: If i set 'SSHA512' encryption for both tools the user authentication does work like a charm.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

**ZhangHuangbin** · 2015-10-08 14:17:07

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 30,789

Re: iredadmin: trouble with password hash prefix

der.sascha wrote:

I tried to teach iredadmin the new prefix via adding the line
' or challenge_password.startswith('{BLF-CRYPT}$2a$') \'
to the block
if challenge_password.startswith('{CRYPT}$2a$') \
or challenge_password.startswith('{CRYPT}$2b$') \
# added new line here

This modification will work, but you inserted into wrong place. Try this patch for iRedAdmin open source edition v0.4.2:

diff -r 12ff1d3b0419 libs/iredutils.py
--- a/libs/iredutils.py    Mon Sep 21 18:33:57 2015 +0800
+++ b/libs/iredutils.py    Thu Oct 08 14:49:39 2015 +0800
@@ -322,6 +322,9 @@
        or challenge_password.startswith('{crypt}$2a$') \
        or challenge_password.startswith('{crypt}$2b$'):
         challenge_password = challenge_password[7:]
+    elif challenge_password.startswith('{BLF-CRYPT}') \
+       or challenge_password.startswith('{blf-crypt}'):
+        challenge_password = challenge_password[11:]
 
     return bcrypt.checkpw(plain_password, challenge_password)
 
@@ -335,6 +338,8 @@
     """Verify salted MD5 password"""
     if challenge_password.startswith('{MD5}') or challenge_password.startswith('{md5}'):
         challenge_password = challenge_password[5:]
+    elif challenge_password.startswith('{CRYPT}') or challenge_password.startswith('{crypt}'):
+        challenge_password = challenge_password[7:]
 
     if not (
         challenge_password.startswith('$') \
@@ -535,7 +540,9 @@
         return verify_plain_md5_password(challenge_password, plain_password)
     elif upwd.startswith('{CRAM-MD5}'):
         return verify_cram_md5_password(challenge_password, plain_password)
-    elif upwd.startswith('{CRYPT}$2A$') or upwd.startswith('{CRYPT}$2B$'):
+    elif upwd.startswith('{CRYPT}$2A$') \
+       or upwd.startswith('{CRYPT}$2B$') \
+       or upwd.startswith('{BLF-CRYPT}'):
         return verify_bcrypt_password(challenge_password, plain_password)
 
     return False

'{crypt}' is 7-char long, but '{blf-crypt}' is 11-char long.

**ZhangHuangbin** · 2015-10-08 15:01:15

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 30,789

Re: iredadmin: trouble with password hash prefix

UPDATE: This patch works for me, and committed:
https://bitbucket.org/zhb/iredadmin-ose … 066f02a1db

**der.sascha** · 2015-10-08 21:24:27

der.sascha
Member
Offline

Registered: 2015-10-04
Posts: 7

Re: iredadmin: trouble with password hash prefix

Zhang, you are the man!
Issue is fixed, thread can be closed.

Thx & cheers!

Dec 29, 2023: iRedMail-1.6.8 has been released.

[ Closed ] iredadmin: trouble with password hash prefix

Posts: 4

1 Topic by der.sascha 2015-10-08 04:39:00

Topic: iredadmin: trouble with password hash prefix

2 Reply by ZhangHuangbin 2015-10-08 14:17:07

Re: iredadmin: trouble with password hash prefix

3 Reply by ZhangHuangbin 2015-10-08 15:01:15

Re: iredadmin: trouble with password hash prefix

4 Reply by der.sascha 2015-10-08 21:24:27

Re: iredadmin: trouble with password hash prefix

Posts: 4