Created
November 28, 2013 00:47
-
-
Save wrossmann/7685647 to your computer and use it in GitHub Desktop.
Quick, dirty, simple PHP to use `doveadm auth` to validate a user's plaintext password against the stored hash without exposing the password through shell commands. Note: This assumes that you already have dovecot's auth backend set up and working. Also, there does not appear to be a simple way to feed in a pre-computed hash, it will only use th…
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
class DoveadmAuth { | |
public static function auth($username, $password) { | |
$descriptors = array( | |
0 => array('pipe', 'r'), | |
1 => array('pipe', 'w'), | |
2 => array('pipe', 'w'), | |
); | |
$cwd = sys_get_temp_dir(); | |
$proc = proc_open( | |
'doveadm auth ' . escapeshellarg($username), | |
$descriptors, $pipes, $cwd | |
); | |
if( ! is_resource($proc) ) { throw new Exception('failed to create auth process'); } | |
fwrite($pipes[0], $password); | |
fclose($pipes[0]); | |
$stdout = stream_get_contents($pipes[1]); | |
$stderr = stream_get_contents($pipes[2]); | |
fclose($pipes[1]); | |
fclose($pipes[2]); | |
$rval = proc_close($proc); | |
return array($rval, $stdout, $stderr); | |
} | |
} // -- end class DoveadmAuth | |
/* Example Call | |
print_r(DoveadmAuth::auth('user@domain.com', 'P@ssw0rd')); | |
*/ | |
/* Example output: | |
// Successful Auth | |
Array | |
( | |
[0] => 0 | |
[1] => passdb: user@domain.com auth succeeded | |
extra fields: | |
user=user@domain.com | |
[2] => | |
) | |
// Unsuccessful Auth due to bad password | |
Array | |
( | |
[0] => 1 | |
[1] => passdb: user@domain.com auth failed | |
extra fields: | |
user=user@domain.com | |
[2] => | |
) | |
// Unsuccessful Auth due to an error [spurios flag introduced] | |
Array | |
( | |
[0] => 1 | |
[1] => doveadm auth [-a <auth socket path>] [-x <auth info>] <user> [<password>] | |
[2] => auth: invalid option -- 'u' | |
) | |
*/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment