1

I have a Rails app with the Devise authentication gem running user registration and login. I want to use the db table that Devise populates when a user registers as the table that Postfix uses to authenticate users.

The table has all the fields that Postfix may want for SASL authentication except that Devise encrypts the password using Blowfish before placing it in the database.

How could I go about getting Postfix/SASL to decrypt those passwords so that the user can be authenticated properly? Devise salts the password so I'm not sure if that helps.

Any suggestions? I'd likely want to do something similar with Dovecot or Courier, I'm not attached to one quite yet.

webo
  • 183
  • 1
  • 1
  • 5

2 Answers2

4

postfix can be configured to use dovecot for SASL authentication, so you might be better off starting the other way around and figuring out if you can get Dovecot to process these hashes.

Keep in mind that hashes are designed not to be "decrypted". When someone wants to log in, the application takes the original salt, the password the user provides and recalculates the hash, if the hashes match, the password was "right".

Are these just raw hashes Devise stores in the database, or are they stored in Modular Crypt Format (starts with $x$...)? If they're in crypt format, Dovecot should be able to support them as long as you specify scheme=CRYPT. The only thing is that I don't see an MCF ID for SHA-1, only $5$ which is SHA-256 and $6$ which is -512 (both are SHA-2 family hashes).

Alternatively, if Devise uses a database-accessible function to create the password (like MySQL's PASSWORD() function) then you should be able to craft a custom database query for authentication using whichever mail server's database connector, which gives you the ability to do something like

SELECT NULL AS password, 'Y' as nopassword, userid AS user FROM users WHERE userid = '%u' AND mysql_pass = password('%w')
DerfK
  • 19,493
  • 2
  • 38
  • 54
  • The hashes in the db start with $2a$10$ so I'm not sure what that is. Maybe I'm not entirely well read on encryption but wouldn't I need the key or salt that the hash was encrypted with? (or is that included in the beginning of the hash?) and Devise doesn't use a database accessible function to create the password, it uses it's own encryptor. – webo Feb 24 '11 at 00:27
  • $2a$ is bcrypt, which is actually Blowfish-based rather than SHA-1, and dovecot should still be able to use them as long as it's aware the passwords are in crypt format. The "10" part is its "slowness": it repeats the cycle 2^10 times. Following that is the salt, following that is the result of the hash (the "string" version is base-64 encoded from the actual binary hash). – DerfK Feb 24 '11 at 01:39
  • I'm reading up on the scheme=CRYPT line you suggested. It says on the Dovecot site that only the first 8 characters of the password are used with the CRYPT scheme. Does that mean passwords longer than 8 characters shouldn't be used? – webo Feb 24 '11 at 04:35
  • 1
    No, it means that dovecot hasn't updated their documentation in the last decade or so :-P The original (non Modular) crypt only used the first 8 characters. – DerfK Feb 24 '11 at 15:37
  • @webo I've created a test account on my dovecot here using $1$ MD5 hashes and confirmed here that scheme=CRYPT will use more than 8 characters for the password when it's used with MD5 at least (used a fairly long password and confirmed if I take a character off the end it won't accept it. There may be an internal buffer size limit somewhere, but it's more than 20 characters), so it should work with $2a$ as long as your glibc version supports it (it was officially added to glibc in 2.10 but some distributions have patched it into earlier versions). – DerfK Feb 24 '11 at 18:32
  • Hmm, I'm getting password mismatch errors and I see this line in the log: `Feb 25 04:39:33 alpha dovecot: auth-worker(default): sql(sampleuser,123.456.789.123): CRYPT(samplepass) != '$2a$10$xxxxxxxxxxx` – webo Feb 25 '11 at 04:41
  • I then ran dovecotpw -l to list available password schemes and BLF-CRYPT didn't show up in the list: http://wiki2.dovecot.org/Tools/Doveadm/Pw – webo Feb 25 '11 at 04:50
  • I've done some more research and learned that Blowfish support isn't included in mainline glibc so I'll need to find a way to get devise to use SHA1 instead and have dovecot and postfix authenticate on it. – webo Feb 25 '11 at 14:08
1

I'm not sure if this would work for you or not, but at RSA the other week there was a company there with Transparent Data Encryption for mySQL on Linux. I've never seen a good way to do this before, but these guys seem to have it.

They encrypt to disc as mySQL is writing and decrypt as the data is requested. No changes to the app or data structure at all. Company is Gazzang, site is www.gazzang.com.

Hope this helps.

user72116
  • 11
  • 1