doveadm−pw − Dovecot's password hash generator
doveadm
[−Dv] pw −l
doveadm [−Dv] pw [−p
password] [−r rounds]
[−s scheme] [−u
user] [−V]
doveadm [−Dv] pw −t
hash [−p password]
[−u user]
doveadm pw is used to generate password hashes for different password schemes and optionally verify the generated hash.
All generated password hashes have a {scheme} prefix, for example {SHA512−CRYPT.HEX}. All passdbs have a default scheme for passwords stored without the {scheme} prefix. The default scheme can be overridden by storing the password with the scheme prefix.
Global doveadm(1) options:
−D |
Enables verbosity and debug messages. |
−o setting=value
Overrides the configuration setting from /etc/dovecot/dovecot.conf and from the userdb with the given value. In order to override multiple settings, the −o option may be specified multiple times.
−v |
Enables verbosity, including progress counter. |
Command specific options:
−l |
List all supported password schemes and exit successfully. |
There are up to three optional password schemes: BLF−CRYPT (Blowfish crypt), SHA256−CRYPT and SHA512−CRYPT. Their availability depends on the system's currently used libc.
−p password
The plain text password for which the hash should be generated. If no password was given doveadm(1) will prompt interactively for one.
−r rounds
The password schemes BLF−CRYPT, SHA256−CRYPT and SHA512−CRYPT supports a variable number of encryption rounds. The following table shows the minimum/maximum number of encryption rounds per scheme. When the −r option was omitted the default number of encryption rounds will be applied.
Scheme |
Minimum | Maximum | Default
----------------------------------------------
BLF−CRYPT | 4 | 31 | 5
SHA256−CRYPT | 1000 | 999999999 | 5000
SHA512−CRYPT | 1000 | 999999999 | 5000
−s scheme
The password scheme
which should be used to generate the hashed password. By
default the CRYPT scheme will be used
(with the $2y$ bcrypt format). It is also possible to append
an encoding suffix to the scheme. Supported encoding
suffixes are: .b64, .base64 and
.hex.
See also
http://wiki2.dovecot.org/Authentication/PasswordSchemes for
more details about password schemes.
−t hash
Test if the given password hash matches a given plain text password. You should enclose the password hash in single quotes, if it contains one or more dollar signs ($). The plain text password may be passed using the −p option. When no password was specified, doveadm(1) will prompt interactively for one.
−u user
When the DIGEST−MD5 scheme is used, also the user name must be given, because the user name is a part of the generated hash. For more information about Digest−MD5 please read also: http://wiki2.dovecot.org/Authentication/Mechanisms/DigestMD5
−V |
When this option is given, the hashed password will be internally verified. The result of the verification will be shown after the hashed password, enclosed in parenthesis. |
The first password hash is a DIGEST−MD5 hash for [email protected]. The second password hash is a CRAM−MD5 hash for [email protected].
doveadm pw
−s digest−md5 −u [email protected]
Enter new password:
Retype new password:
{DIGEST−MD5}9b9dcb4466233a9307bbc33708dffda0
doveadm pw
Enter new password:
Retype new password:
{CRAM−MD5}913331d8782236a8ecba7764a63aa27b26437fd40ca878d887f11d81245c2c6b
Report bugs, including doveconf −n output, to the Dovecot Mailing List <[email protected]>. Information about reporting bugs is available at: http://dovecot.org/bugreport.html
doveadm(1)