Created

Embed URL

HTTPS clone URL

SSH clone URL

You can clone with HTTPS or SSH.

Download Gist

Quick, dirty, simple PHP to use `doveadm auth` to validate a user's plaintext password against the stored hash without exposing the password through shell commands. Note: This assumes that you already have dovecot's auth backend set up and working. Also, there does not appear to be a simple way to feed in a pre-computed hash, it will only use the hash associated with the user in the backend.

View DoveadmAuth.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66
<?php
class DoveadmAuth {
public static function auth($username, $password) {
$descriptors = array(
0 => array('pipe', 'r'),
1 => array('pipe', 'w'),
2 => array('pipe', 'w'),
);
$cwd = sys_get_temp_dir();
$proc = proc_open(
'doveadm auth ' . escapeshellarg($username),
$descriptors, $pipes, $cwd
);
if( ! is_resource($proc) ) { throw new Exception('failed to create auth process'); }
fwrite($pipes[0], $password);
fclose($pipes[0]);
$stdout = stream_get_contents($pipes[1]);
$stderr = stream_get_contents($pipes[2]);
fclose($pipes[1]);
fclose($pipes[2]);
$rval = proc_close($proc);
return array($rval, $stdout, $stderr);
}
} // -- end class DoveadmAuth
/* Example Call
print_r(DoveadmAuth::auth('user@domain.com', 'P@ssw0rd'));
*/
/* Example output:
// Successful Auth
Array
(
[0] => 0
[1] => passdb: user@domain.com auth succeeded
extra fields:
user=user@domain.com
[2] =>
)
// Unsuccessful Auth due to bad password
Array
(
[0] => 1
[1] => passdb: user@domain.com auth failed
extra fields:
user=user@domain.com
[2] =>
)
// Unsuccessful Auth due to an error [spurios flag introduced]
Array
(
[0] => 1
[1] => doveadm auth [-a <auth socket path>] [-x <auth info>] <user> [<password>]
[2] => auth: invalid option -- 'u'
)
*/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.