Results 1 to 9 of 9

Thread: how to get to know zimbra user passwords

  1. #1
    Join Date
    Jul 2009
    Posts
    51
    Rep Power
    6

    Default how to get to know zimbra user passwords

    Hi zimbra guys,

    I have below question.


    I create users in this below traditional way.

    zmprov ca userx@domain.com mypassword


    Is there a way to get to know this zimbra passwords in plain text back with zmprov command or any other way?

    I searched. but, I could NOT find an answer?

    Hope to hear from you.

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by indunil75 View Post
    Is there a way to get to know this zimbra passwords in plain text back with zmprov command or any other way?
    No, there is no way to do that as the passwords are encrypted. It wouldn't be very good security to allow you to decrypt the passwords, would it?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Join Date
    Jul 2009
    Posts
    51
    Rep Power
    6

    Default

    U r right. But, In some cases, Management would find it ok.

    With a new installation of zimbra, We gave password to some users as "123456".

    Now, We want to find users having password "123456" and reset them. other wise , we will have to go to every user and ask what the password is which is also NOT so good.

    is there any hacking way of doing it?

    Thanks a lot.

  4. #4
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by indunil75 View Post
    U r right. But, In some cases, Management would find it ok.
    That's never OK in any circumstances whoever asks for it.

    Quote Originally Posted by indunil75 View Post
    With a new installation of zimbra, We gave password to some users as "123456".

    Now, We want to find users having password "123456" and reset them. other wise , we will have to go to every user and ask what the password is which is also NOT so good.

    is there any hacking way of doing it?
    Go to the Admin UI/COS and see how you can set strong passwords then create a management policy of what sort of passwords you require for your configuration. Inform all your users what the new policy will be and when it's going to happen. When you've done that you should modify ZCS for setting that policy, run zmprov to force all user to change their passwords on the next login.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    Join Date
    Dec 2009
    Posts
    75
    Rep Power
    5

    Default

    You don't need to get the passwords in plaintext to check them.

    The passwords are not encrypted (encryped things can be decrypted ). They are hashed and salted.

    You can get the hashed passwords with zmprov.
    If you have them you take your weak password and hash it with the same algorithms (don't forget to use the same salt).

    If the user hash and the weak password hash is the same you know that the user uses the weak password.

    The salt is random so you have to recreate the weak password hash for every user with the users salt and check if the hashes are the same.

    You can also make an dictionary attack with this, so you see which users should change their passwords.

    yogg
    Release 7.1.2_GA_3268.UBUNTU8_64 UBUNTU8_64 NETWORK edition.

  6. #6
    Join Date
    Jul 2009
    Posts
    51
    Rep Power
    6

    Default

    Hi boss,

    Thanks a lot for your brilliant words. I will do it.

  7. #7
    Join Date
    Jul 2009
    Posts
    51
    Rep Power
    6

    Default

    [QUOTE=yogg1;237453]You don't need to get the passwords in plaintext to check them.

    The passwords are not encrypted (encryped things can be decrypted ). They are hashed and salted.

    You can get the hashed passwords with zmprov.

    How, what is the command?

  8. #8
    Join Date
    Dec 2009
    Posts
    75
    Rep Power
    5

    Default

    You have to read it direct from ldap ( -l option) else you get only "VALUE-BLOCKED" back.

    zmprov -l ga username@domain userPassword

    yogg
    Release 7.1.2_GA_3268.UBUNTU8_64 UBUNTU8_64 NETWORK edition.

  9. #9
    Join Date
    Jan 2012
    Posts
    41
    Rep Power
    3

    Default

    Forgive if irrelevant, but for the same reasons I need to force some users to change their password.

    What better than using

    Code:
    zmprov ma user@domain.com zimbraPasswordMustChange TRUE
    Did it.. It doesn't work... It doesn't ask user to change password.

    Looked into forums and wiki, did not find anything helpful.

    Any suggestion?

    Thanks

    PS: I am thinking of brute-forcing using Hydra to check users' password strength against password lists. Based on the results, I would like to have the accounts flagged as zimbraPasswordMustChange. But I need the flag to work...

Similar Threads

  1. Issues after upgrading from 6.0.10 to 7
    By rhorist in forum Administrators
    Replies: 8
    Last Post: 02-25-2011, 08:38 AM
  2. /tmp filling
    By Nutz in forum Administrators
    Replies: 8
    Last Post: 02-22-2008, 02:00 AM
  3. Can't start Zimbra!
    By zibra in forum Administrators
    Replies: 5
    Last Post: 03-22-2007, 12:34 PM
  4. 4.5 Upgrade failure
    By brained in forum Installation
    Replies: 9
    Last Post: 03-03-2007, 03:30 PM
  5. Post instsallation problems
    By Assaf in forum Installation
    Replies: 14
    Last Post: 01-29-2007, 11:38 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •