Create a dovecot SHA1 digest using bash or python or some other linux command-line tool

Question

Our dovecot and email server authenticate users using SHA1 digests. We can't really change the current digest because we have so many users and don't want to have to have them re-create all their passwords.

We would like an easier way to create a digest to put into the database for our users (and eventually create a web interface so they can change it themselves).

Currently, we create the digest using the linux command:

dovecotpw -s SHA1

We want to switch because dovecotpw is not scriptable (at least not without using expect or something similar). However, everything I've tried (sha1sum, mysql's sha1, python's hashlib.sha1) all produce something very different from the dovecotpw command.

Below is the output from various commands for the word: password

dovecotpw -> W6ph5Mm5Pz8GgiULbPgzG37mj9g=
sha1sum -> 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
python hashlib.sha1() -> 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
mysql sha1() -> 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8

So it looks like dovecot is the one doing things differently. Unfortunately, that is the one I need it to create.

Any idea's how I can get the dovecot sha1 from a scriptable command?

Thanks.

Answer 1

You need to base64 encode the binary digest to get it into their format.

>>> import hashlib
>>> import base64

>>> p = hashlib.sha1('password')
>>> base64.b64encode(p.digest())
'W6ph5Mm5Pz8GgiULbPgzG37mj9g='

EDIT: By the way if you'd prefer to do this from a terminal/bash script, you can do

$ echo -n 'password' | openssl sha1 -binary | base64     
W6ph5Mm5Pz8GgiULbPgzG37mj9g=

Also, you can tell dovecotpw didn't give a hexdigest of the hash anymore because it has more the chars aren't all hexidecimal [0-9a-f]. The use of characters [A-Za-z0-9+/] with the = ending suggests it was base64 conversion of the hash.

Answer 2

The output of dovecotpw is base64 encoded.