NAME
doveadm-pw - Dovecot's password hash generator
SYNOPSIS
doveadm
[-Dv] pw -l
doveadm [-Dv] pw [-p
password] [-r rounds] [-s
scheme] [-u user] [-V]
doveadm [-Dv] pw -t hash [-p
password] [-u user]
DESCRIPTION
doveadm pw is used to generate password hashes for different password schemes and optionally verify the generated hash.
All generated password hashes have a {scheme} prefix, for example {SHA512-CRYPT.HEX}. All passdbs have a default scheme for passwords stored without the {scheme} prefix. The default scheme can be overridden by storing the password with the scheme prefix.
OPTIONS
Global doveadm(1) options:
|
-D |
Enables verbosity and debug messages. |
-o setting=value
Overrides the configuration setting from /etc/dovecot/dovecot.conf and from the userdb with the given value. In order to override multiple settings, the -o option may be specified multiple times.
|
-v |
Enables verbosity, including progress counter. |
Command specific options:
|
-l |
List all supported password schemes and exit successfully. |
There are up to three optional password schemes: BLF-CRYPT (Blowfish crypt), SHA256-CRYPT and SHA512-CRYPT. Their availability depends on the system's currently used libc.
-p password
The plain text password for which the hash should be generated. If no password was given doveadm(1) will prompt interactively for one.
-r rounds
The password schemes BLF-CRYPT, SHA256-CRYPT and SHA512-CRYPT supports a variable number of encryption rounds. The following table shows the minimum/maximum number of encryption rounds per scheme. When the -r option was omitted the default number of encryption rounds will be applied.
Scheme |
Minimum | Maximum | Default
----------------------------------------------
BLF-CRYPT | 4 | 31 | 5
SHA256-CRYPT | 1000 | 999999999 | 5000
SHA512-CRYPT | 1000 | 999999999 | 5000
-s scheme
The password scheme
which should be used to generate the hashed password. By
default the CRYPT scheme will be used
(with the $2y$ bcrypt format). It is also possible to append
an encoding suffix to the scheme. Supported encoding
suffixes are: .b64, .base64 and
.hex.
See also
http://wiki2.dovecot.org/Authentication/PasswordSchemes for
more details about password schemes.
-t hash
Test if the given password hash matches a given plain text password. You should enclose the password hash in single quotes, if it contains one or more dollar signs ($). The plain text password may be passed using the -p option. When no password was specified, doveadm(1) will prompt interactively for one.
-u user
When the DIGEST-MD5 scheme is used, also the user name must be given, because the user name is a part of the generated hash. For more information about Digest-MD5 please read also: http://wiki2.dovecot.org/Authentication/Mechanisms/DigestMD5
|
-V |
When this option is given, the hashed password will be internally verified. The result of the verification will be shown after the hashed password, enclosed in parenthesis. |
EXAMPLE
The first password hash is a DIGEST-MD5 hash for jane.roe [AT] example.com. The second password hash is a CRAM-MD5 hash for john.doe [AT] example.com.
doveadm pw
-s digest-md5 -u jane.roe [AT] example.com
Enter new password:
Retype new password:
{DIGEST-MD5}9b9dcb4466233a9307bbc33708dffda0
doveadm pw
Enter new password:
Retype new password:
{CRAM-MD5}913331d8782236a8ecba7764a63aa27b26437fd40ca878d887f11d81245c2c6b
REPORTING BUGS
Report bugs, including doveconf -n output, to the Dovecot Mailing List <dovecot [AT] dovecot.org>. Information about reporting bugs is available at: http://dovecot.org/bugreport.html