Doveadm-Pw

Name ☜

doveadm-pw - Dovecot's password hash generator

Synopsis ☜

doveadm [-Dv] pw -l
doveadm [-Dv] pw [-p password] [-r rounds] [-s scheme] [-u user] [-V]
doveadm [-Dv] pw -t hash [-p password] [-u user]

Description ☜

doveadm pw is used to generate password hashes for different password schemes and optionally verify the generated hash.

All generated password hashes have a {scheme} prefix, for example {SHA512-CRYPT.HEX}. All passdbs have a default scheme for passwords stored without the {scheme} prefix. The default scheme can be overridden by storing the password with the scheme prefix.

Options ☜

Global doveadm(1) options:

-D: Enables verbosity and debug messages.
-o setting=value: Overrides the configuration setting from /etc/dovecot/dovecot.conf and from the userdb with the given value. In order to override multiple settings, the -o option may be specified multiple times.
-v: Enables verbosity, including progress counter.

Command specific options:

-l

List all supported password schemes and exit successfully.
There are up to three optional password schemes: BLF-CRYPT (Blowfish crypt), SHA256-CRYPT and SHA512-CRYPT. Their availability depends on the system's currently used libc.

-p password

The plain text password for which the hash should be generated. If no password was given doveadm(1) will prompt interactively for one.

-r rounds

The password schemes BLF-CRYPT, SHA256-CRYPT and SHA512-CRYPT supports a variable number of encryption rounds. The following table shows the minimum/maximum number of encryption rounds per scheme. When the -r option was omitted the default number of encryption rounds will be applied.

 Scheme       | Minimum | Maximum   | Default
----------------------------------------------
 BLF-CRYPT    |       4 |        31 |       5
 SHA256-CRYPT |    1000 | 999999999 |    5000
 SHA512-CRYPT |    1000 | 999999999 |    5000

-s scheme

The password scheme which should be used to generate the hashed password. By default the CRYPT scheme will be used (with the $2y$ bcrypt format). It is also possible to append an encoding suffix to the scheme. Supported encoding suffixes are: .b64, .base64 and .hex.
See also https://doc.dovecot.org/configuration_manual/authentication/password_schemes/ for more details about password schemes.

-t hash

Test if the given password hash matches a given plain text password. You should enclose the password hash in single quotes, if it contains one or more dollar signs ($). The plain text password may be passed using the -p option. When no password was specified, doveadm(1) will prompt interactively for one.

-u user

When the DIGEST-MD5 scheme is used, also the user name must be given, because the user name is a part of the generated hash. For more information about Digest-MD5 please read also: https://doc.dovecot.org/configuration_manual/authentication/digest-md5/

-V

When this option is given, the hashed password will be internally verified. The result of the verification will be shown after the hashed password, enclosed in parenthesis.

Example ☜

The first password hash is a DIGEST-MD5 hash for jane.roe@example.com. The second password hash is a CRAM-MD5 hash for john.doe@example.com.