Problems With Passwords...

Hi everyone, I am new to the forum… and I really didn’t know where to put this as it contains MySQL and PHP, and I am… but I assumed General would be okay.

I have basically had my head deep in PHP and SQL for the last several weeks as I am putting together a mail server as an off project of mine. I have configured postfix, amavis, clamav courier and squirrelmail to put on an apache server with Mysql and PHP (ofcourse).

Cutting to the chase here, I have put together a registration form, and all is going well… except for the password retrieval. You see, when I configured the database to begin with, there was no login script so I was manualy adding user’s (beta testers) email accounts in SQL. This is the code I put into SQL:

INSERT INTO users (local,remote,maildir,pass) VALUES ('localmail','remotemail','maildirectory/',encrypt('password') );

The very last snippet is what is making things difficult… the “encrypt(‘password’)” Because in my registration form the code is:
[php]if (!get_magic_quotes_gpc()) {
$_POST[‘pass’] = crypt($_POST[‘pass’]);
}
$register = “INSERT INTO users (local, remote, maildir, pass)
VALUES (’”.$_POST[‘username’]."@localhost’, ‘".$_POST[‘email’]."’, ‘".$_POST[‘username’]."/’, ‘".$_POST[‘pass’]."’)";[/php]

Here is what I get when I register and attempt to login with password “abcd1234”:

Aug 21 04:31:39 localhost authdaemond: supplied password 'abcd1234' does not match encrypted password '$6$rcAusKM7$45RN/pcz1d7TRAY4jKeGq3JSk2Xzf0ARLWFO.TGdgTQGJ.lmSSij7Xg7OMlNHlJbFRYYZ9.P0Mv4QZwBDp3ph.' Aug 21 04:31:39 localhost authdaemond: authmysql: REJECT - try next module

Even when I copy and paste that password and try to login, it repeats the exact same thing saying it doesn’t match.

Keep in mind, I used to manually add passwords to SQL by “encrypt(‘password’)” and was working fine.

What I thought was happening was the password was encrypted before it was even put into the database, therefore the password that was entered was not being retreived. So what I did was took the ‘crypt’ out of “crypt($_POST[‘pass’])” Re-registered and logged in with the same password, and here is what I got:

Aug 21 04:39:43 localhost authdaemond: supplied password 'abcd1234' does not match encrypted password 'abcd1234' Aug 21 04:39:43 localhost authdaemond: authmysql: REJECT - try next module Aug 21 04:39:43 localhost authdaemond: FAIL, all modules rejected

So my final conclusion… is that I need to apply the “encrypt(‘password’)” in my PHP script. But I am having trouble. I want to enter it here:
[php]$register = “INSERT INTO users (x, x, x, pass)
VALUES (x, x, x, '”.$_POST[‘pass’]."’)";
[/php]

I thought I would need to write is as (…’“x”’, “encrypt(’”.$_POST[‘crypt’]."’)")"; Ughh that looks horendous lol.

I’m getting nailed on that one. Afterall, that might not even solve the problem. I was just going to try encrypting inside php AS it was being added to the database. By the way, the “$_POST[‘pass’]” (if you haven’t already figured out) is the user’s password as submitted in the form.

Something to add, I have phpma and each account is being successfully added as well as the verification email being sent to the user’s mailbox upon registration. When I entered the unencrypted password as “abcd1234” it was sitting in the table just as that. All of my account I had made previously by manually inserting the information into SQL could log in fine, and their passwords were showing as encrypted… I just dont know what the problem is.

Anyway, nice to be here… any help or suggestions/further reading would be greatly appreciated!

-Nathan

you could use encrypt directly like:

[php]$register = “INSERT INTO users (local, remote, maildir, pass)
VALUES (’”.$_POST[‘username’]."@localhost’, ‘".$_POST[‘email’]."’, ‘".$_POST[‘username’]."/’, ‘".encrypt($_POST[‘pass’])."’)";[/php]

its not secure at all you need to sanitise the data before inserting it at the least use mysql_real_escape_string like:

[php]$register = “INSERT INTO users (local, remote, maildir, pass)
VALUES (’”.mysql_real_escape_string($_POST[‘username’])."@localhost’, ‘".mysql_real_escape_string($_POST[‘email’])."’, ‘".mysql_real_escape_string($_POST[‘username’])."/’, ‘".encrypt(mysql_real_escape_string($_POST[‘pass’])."’)";
[/php]

a cleaner way:

[php]$password = encrypt($_POST[‘password’]):
$username = mysql_real_escape_string($_POST[‘username’]);
$email = mysql_real_escape_string($_POST[‘email’]);
$encryptpass = mysql_real_escape_string($password);
$username = mysql_real_escape_string($_POST[‘username’]);

$register = “INSERT INTO users (local, remote, maildir, pass)
VALUES (’$username@localhost’, ‘$email’, ‘$username/’, ‘$encryptpass’)”;[/php]

Thanks so much for your time. Your alternatives were so insightful and I learned alot from applying a few of the techniques into my script. However, not much is changing as far as the login.

I am still getting these errors (say my password was la)

Aug 21 09:16:38 starcommand authdaemond: supplied password 'la' does not match encrypted password 'c9089f3c9adaf0186f6ffb1ee8d6501c'

I have noticed something that is interesting… even if I take out the encryption in the script, the authdaemon will still reply “match encrypted password” … therefore that tells me it is possibility that there is a code conflict… is it possible to have conflicting encryption methods?

I have alread on “addslashes” I have implemented them into my script as

 	if (!get_magic_quotes_gpc()) {
 		$_POST['pass'] = addslashes($_POST['pass']);
 		$_POST['username'] = addslashes($_POST['username']);
		$_POST['email'] = addslashes($_POST['email']);

I just wonder if it is canceled out once the password is encrypted and entered into the form. Also, I thought by adding “$_POST[‘pass’] = md5($_POST[‘pass’]);” above the get_magic_quotes_gpc statement would possibly do some good, but no luck… which further makes me suspect there is a code somewhere else conflicting with this one (there are alot)

One of which that I have noticed is my smtp configuration in pam.d (I don’t know if you are familiar.) But basically it states:

auth required pam_mysql.so user=mail passwd=-x-x-x- host=127.0.0.1 db=maildb table=users usercolumn=username passwdcolumn=pass crypt=1

I just wonder if something like this could be affecting it. I have turned crypt to 0… then took it out completely. I have spent all night trying to figure this one out and have gotten pretty much no where… but learned alot!

-Nathan

md5 encrypt abc123 at the top of the page and copy it to the clipboard and update your database with that encrypted password
[php]
echo md5(“abc123”);
[/php]
NOTE: make sure you change all your field names along the database name as well
now run a query like this
[php]
$password= md5(“abc123”);
mysql_query(“SELECT * FROM table_name WHERE username=’$username’ AND password=’$password’”) or die(mysql_error());
[/php]

then you can say
[php]
if (mysql_num_rows($result ) > 1)
{
…succeed logged in

}else{
echo “wrong username or password”;
}
[/php]

a quick not on using MD5 for passwords its considered bad practice now as there so easy to crack, best to use bcrypt its a much more secure method.

Thanks for your replies, I would like to add that even when I copied that encrypted password into the login it still didn’t work. I just remembered that the default value of the “pass” field in my sql datbase is

`crypt` varchar(128) NOT NULL DEFAULT 'sdtrusfX0Jj66'

Let me give you a scenario.

If I add a user directly to my SQL database with this information:

INSERT INTO users (local,remote,maildir,pass)
VALUES ('officecouch@localhost','[email protected]','officecouch/',encrypt('test') );

And then login to the mail server, this is what I get for my log:

Aug 21 20:36:07 starcommand authdaemond: received auth request, service=imap, authtype=login
Aug 21 20:36:07 starcommand authdaemond: authmysql: trying this module
Aug 21 20:36:07 starcommand authdaemond: SQL query: SELECT username, pass, "", uid, gid, home, concat(home,'/',maildir), "", name, "" FROM users WHERE username = 'officecouch@localhost'  AND (enabled=1)
Aug 21 20:36:07 starcommand authdaemond: password matches successfully
Aug 21 20:36:07 starcommand authdaemond: authmysql: sysusername=<null>, sysuserid=5000, sysgroupid=5000, homedir=/var/spool/mail/virtual, local=officecouch@localhost, [email protected], maildir=/var/spool/mail/virtual/officecouch/, quota=<null>, options=<null>
Aug 21 20:36:07 starcommand authdaemond: Authenticated: clearpasswd=test, passwd=wlsWGTLBmpWBU

Okay, now say I delete that user, and then try to register them using my bugged registration code, I get this:

Aug 21 20:26:45 starcommand authdaemond: received auth request, service=imap, authtype=login
Aug 21 20:26:45 starcommand authdaemond: authmysql: trying this module
Aug 21 20:26:45 starcommand authdaemond: authmysqllib: connected. Versions: header 50517, client 50524, server 50524
Aug 21 20:26:45 starcommand authdaemond: SQL query: SELECT username, pass, "", uid, gid, home, concat(home,'/',maildir), "", name, "" FROM users WHERE username = 'officecouch@localhost'  AND (enabled=1)
Aug 21 20:26:46 starcommand authdaemond: supplied password 'test' does not match encrypted password '$6$Xu/KMDG4$er.ecu.2as7VWxBIJwoTuSneb1s5mXFgp7u9vWEUKnBXPd09gT2rwfcYbYSqEgWAzjzzoxL7X7Qay8NnqdFAI0'
Aug 21 20:26:46 starcommand authdaemond: authmysql: REJECT - try next module
Aug 21 20:26:46 starcommand authdaemond: FAIL, all modules rejected

So I have notived the differences. The successful login is comparing a “clear passwd” and “passwd” whereas the bugged regstration is comparing the submitted password only to the encrypted password. Ugh, this is getting confusing.

Sometimes one can feel so stupid! It just occured to me after reading and re-reading again mail.log, mysql.log and auth.log what was actually happening.

When I first created the database, I had no idea how to set up a registration form, yet I still wanted to feel as the mail system was somewhat secure. (Yeah, really secure having to enter in user’s passwords for them! :P) So I created the default value of the encrypted password table to be what was displayed via “SHOW CREATE TABLE maildb.users”:

...
`crypt` varchar(128) NOT NULL DEFAULT 'sdtrusfX0Jj66'
...

Because I am now allowing users to register, there does not need to be a default encrypted value as PHP can encrypt the password and implement it into the database via the registration form. (Keep in mind, this is nothing that actual users are going to register for; this is just an off project of mine.)

All is working well now. I have it up and running and going smoothly. Thanks for your two replies none-the-less. It has given me alternative methods to study up on.

Appreciate it!

-Nathan

consider using this function for strong password hash
[php]

<?php function pwhash($password,$iterations=13) { $hash =md5($password); for ($i = 0; $i < $iterations; ++$i) { $hash = md5($hash . $password); } return $hash; } echo pwhash("password")."
"; ?>

[/php]