config.pck password encryption inconsistencies
Hello;
I currently run Mailman 2.1.5 on one server, and have web archives using MHonArc running on a different webserver. I have shell access to both. These archives are private, for list subscribers only.
I am trying to implement .htaccess authentication using the instructions here: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq03.007.htp I have this script working although it required minor modifications to run under 2.1.5. This is a Fedora Core 2 install from source.
The modified script creates the .htpasswd database on the mailmain server and scp's it to the webserver over a private net.
Here's the issue I can't solve. It is clear that SOME user passwords in the lists' config.pck file are encrypted, and some aren't. This is within the SAME config.pck, I'm only running one list. When using 'dumpdb' to investigate the the users email/passwords, some of the passwords are definitely clear text. However, others (including all of my own, for various test subscriptions) are encrypted.
The problem is that when I then use htpasswd to create the .htpasswd file, the encrypted passwords are re-encrypted again for use by apache. Therefore the only acceptable password for logging into the archives is the encrypted form. Here's an example using fake text:
User passwd: Config.pck entry: .htpasswd: Accepted by Apache: tree Uasdf!d ljkjkld Uasdf!d
When the user's password is in UN-encrypted form in config.pck, everything works great, eg:
User passwd: Config.pck entry: .htpasswd: Accepted by Apache: rock rock Oad;int rock
Using htpasswd's -p switch to add the passwords in clear text doesn't work either. Same problem, in that now the Apache password is the then as in the config.pck, which may or may not be encrypted.
I hope this makes sense. Any suggestions for dealing with this? Obviously users can't be expected to know what the encrypted version of their password is or might be... Is this the expected behavior (some passwords clear, others encrypted?). Is this documented anywhere?
dave
Quoting Dave Dewey (ddewey@cyberthugs.com):
Here's the issue I can't solve. It is clear that SOME user passwords in the lists' config.pck file are encrypted, and some aren't. This is within the SAME config.pck, I'm only running one list. When using 'dumpdb' to investigate the the users email/passwords, some of the passwords are definitely clear text. However, others (including all of my own, for various test subscriptions) are encrypted.
More info: it appears that only passwords that were chosen at time of subscription are encrypted. If a user then goes in and changes the password, it is stored unencrypted in config.pck.
dave
Dave Dewey wrote:
Quoting Dave Dewey (ddewey@cyberthugs.com):
Here's the issue I can't solve. It is clear that SOME user passwords in the lists' config.pck file are encrypted, and some aren't. This is within the SAME config.pck, I'm only running one list. When using 'dumpdb' to investigate the the users email/passwords, some of the passwords are definitely clear text. However, others (including all of my own, for various test subscriptions) are encrypted.
More info: it appears that only passwords that were chosen at time of subscription are encrypted. If a user then goes in and changes the password, it is stored unencrypted in config.pck.
Are you sure they are encrypted and not just encoded (e.g. unicode)?
What do you see in monthly password reminders?
I looked through the code somewhat, particularly the code that produces password reminders, and I can't see anywhere where there is any encryption/decryption of passwords going on.
-- Mark Sapiro <msapiro@value.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Wed, 2004-12-08 at 20:58, Mark Sapiro wrote:
I looked through the code somewhat, particularly the code that produces password reminders, and I can't see anywhere where there is any encryption/decryption of passwords going on.
Correct. Mailman does not encrypt or hash member passwords, and they are stored in the clear in the config.pck file (this is actually not good, but it's the way it is). Owner and moderator passwords are generally hashed, typically these days with sha1. I have no idea where your passwords are getting changed.
-Barry
Quoting Barry Warsaw (barry@python.org):
Correct. Mailman does not encrypt or hash member passwords, and they are stored in the clear in the config.pck file (this is actually not good, but it's the way it is). Owner and moderator passwords are generally hashed, typically these days with sha1. I have no idea where your passwords are getting changed.
Gotcha. I believe that's where I was drawing my erroneous conclusions from. I only have information about my own passwords, and they are clearly encrypted since I know what the values are. My own accounts are ALSO all either owners or moderators, so that explains it perfectly. The rest of the users passwords were either values I could recognize and therefore were cleartext passwords or random strings, and it's impossible to tell whether those are encrypted or just random by simply looking at them. I now assume they are random.
Thanks for the information! I did see the references to the sha1 encryption in the code, further drawing me down the wrong path. Case closed...
dave
On Thu, 2004-12-09 at 09:43, Dave Dewey wrote:
Gotcha. I believe that's where I was drawing my erroneous conclusions from. I only have information about my own passwords, and they are clearly encrypted since I know what the values are. My own accounts are ALSO all either owners or moderators, so that explains it perfectly.
Just for clarification (because my explanation was perhaps imprecise): Moderator and owner passwords are kept in separate keys in the config.pck dictionary, so even if you are both a member and an owner of a list, your member password will be cleartext but the (shared) owner password will be hashed (same goes for the moderator password).
-Barry
participants (4)
-
Barry Warsaw
-
Dave Dewey
-
ddewey@cyberthugs.com
-
Mark Sapiro