Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Password hash
  •  
eximweenie

Messages: 3
Karma: 0
Send a private message to this user
Hi folks: I'm in the process of migrating from Kerio 6 on Win2k to a custom mail platform (250 users). I've got users.cfg and have written a small script to populate the new user database, but am unsure what to do with the DES password hashes. They don't appear to be in native LM or NTLM format, which John would take care of nicely.

Is there any information available on the format of these hashes? Or better yet, is there a simpler way to decrypt or recover user passwords? Has anyone had any experience migrating from Kerio to a unix/mysql or unix/ldap platform?

Thanks for any assistance.

-travis
  •  
dejf

Messages: 11
Karma: 0
Send a private message to this user
I ran to this too.
Seems like classical distributor lock-in, that should keep you from migrating to any other solution. There are two types of software, one that is paid and pain to change and the other one that is free and sometimes pain to install or use - kerio is from the first category. So, again, I see no reason to use any closed software for anything as it is principialy designed to lock me in, but I see many reasons against that. Now I just have to solve that password problem anyway and will report any success, hopefully kerio will not delete that just for it's own sake.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
dejf wrote on Wed, 12 August 2009 23:00
I ran to this too.
Seems like classical distributor lock-in, that should keep you from migrating to any other solution. There are two types of software, one that is paid and pain to change and the other one that is free and sometimes pain to install or use - kerio is from the first category. So, again, I see no reason to use any closed software for anything as it is principialy designed to lock me in, but I see many reasons against that. Now I just have to solve that password problem anyway and will report any success, hopefully kerio will not delete that just for it's own sake.


This is not such case. Storing passwords in high secure (and often irreversible) format is required. Otherwise, it could be reported as weakness of the product.
  •  
dejf

Messages: 11
Karma: 0
Send a private message to this user
Well, there are some commonly used formats for password storage, that do not compromise itself by being easily reversible. Why does every closed software come with it's own greatnewhyper format that may not be as secure, but is vendor specific and work as security-thru-obscurity in the first place?
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Please, write here at least two of them.
It is not security-by-obscurity. The passwords are encrypted with known algorithms. But either the key is unknown (non-public) or there is no key at all if the format is irreversible (like SHA-1).
  •  
elias

Messages: 114
Karma: 0
Send a private message to this user
dejf wrote on Wed, 12 August 2009 14:34
Well, there are some commonly used formats for password storage, that do not compromise itself by being easily reversible.

LOL. That makes no sense at all.

I'm betting Kerio is using a 1-way hash. Even if you knew the exact algorithm, how would that help you? Those passwords aren't meant to be decrypted, and KMS doesn't decrypt them itself either.

This is neither a KMS issue nor is it security by obscurity.

-Elias
  •  
dejf

Messages: 11
Karma: 0
Send a private message to this user
crypt? MD5? SHA1? You may move the hash from /etc/shadow to mysql or LDAP and it will work everywhere...
There is no description of used algorithms, so it may not be safe, there is no easy proof. If the algorithms were available, I'd incorporate them into the new solution and be happy with existing hashes. The fact, that you use SHA or DES seems not enough as I found no tools that would be able to to verify the password, neither in the windows world nor in the unix one.
  •  
dejf

Messages: 11
Karma: 0
Send a private message to this user
I do not need to decrypt them. I need to use them!
  •  
eximweenie

Messages: 3
Karma: 0
Send a private message to this user
Wow this is some pretty serious thread necromancy right here.
  •  
dejf

Messages: 11
Karma: 0
Send a private message to this user
eximweenie wrote on Thu, 13 August 2009 00:00
Wow this is some pretty serious thread necromancy right here.


You had this problem years ago, I have it now. How did you solve that in the end?
  •  
eximweenie

Messages: 3
Karma: 0
Send a private message to this user
I made everyone change their passwords on the new system.
  •  
dejf

Messages: 11
Karma: 0
Send a private message to this user
eximweenie wrote on Thu, 13 August 2009 00:15
I made everyone change their passwords on the new system.


Thanks, that is not what I wanted to read Sad
  •  
marcobat

Messages: 28
Karma: 0
Send a private message to this user
One typical way to port passwords from a system to another is to setup some way to authenticate against the old system.
A user submit his/her password to the new system, the new system try using it to authenticate against the old system, if it can log-in then the new system can encrypt and store this password in the way it likes.
You could setup a interim login page to do that.
I have not done anything like this with kerio but i don't see why it should not work.
  •  
dejf

Messages: 11
Karma: 0
Send a private message to this user
marcobat wrote on Thu, 13 August 2009 00:40
One typical way to port passwords from a system to another is to setup some way to authenticate against the old system.


That should be possible using kerio's LDAP, I have that as a last choice which would require some work now. Thanks for sane answer, those seem rare here in these times.
EDIT: Nope, kerio LDAP is here only as a directory of contacts. How useful...

[Updated on: Thu, 13 August 2009 01:13]

  •  
dejf

Messages: 11
Karma: 0
Send a private message to this user
Well, based on http://www.mail-archive.com/courier-users<_a.t_>lists.sourceforge.net/msg25011.html I made a script to ask kerio for courier authdaemon - it is able to autenticate against it and saves the valid records to fill the mysql. Yes most vendor lock-ins are solvable somehow, this one seems to be rather silly, but it should work us.
All _at_ signs get changed on this forum...

#!/bin/sh

auth()
{
server=the_original_kerio

        # Read the AUTH data from stdin.
        read service junk
        read authtype junk; [ "$authtype" = "login" ] || { fail; return; }
        read username junk
        read password

        # Authenticate the user/password combination.
        echo "poll $server
        user $username
        password $password
        is $username
        here"|fetchmail -c -f - 2>&1|grep "for $username at $server" > /dev/null 2>&1 || { fail; return; }

        echo "UID=1001
GID=1001
HOME=/home/virtual
ADDRESS=$username
MAILDIR=${username#*<_a.t_>*}/${username%*<_a.t_>*}/
."
echo "$username - $password" >> /home/virtual/data/passwords
}

# Set the other actions to fail so that authdaemond will fall through and
# try the next module on the authmodulelist.
#
pre()           { fail; }
passwd()        { fail; }
enumerate()     { echo "."; }
fail()          { echo "FAIL"; }

# Read the first line of standard input to figure out which action should
# be taken.
#
read stdin
echo "          Read: $stdin"
case $stdin in
"AUTH "*)       auth ;;
"PRE . "*)      pre ;;
"PASSWD "*)     passwd ;;
"ENUMERATE")    enumerate ;;
*)              fail ;;
esac
exit 0


I will add the migration script too when it gets finalized...

[Updated on: Thu, 13 August 2009 09:13] by Moderator

Previous Topic: Prevent emails being automatically added to address book
Next Topic: Global Address List
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Oct 23 06:18:52 CEST 2017

Total time taken to generate the page: 0.00586 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.