[Dovecot] SOLVED Intermittent authentication failures
Eric Shubert
ejs at shubes.net
Mon Oct 3 19:55:40 EEST 2011
On 10/02/2011 10:28 AM, Timo Sirainen wrote:
> On Sun, 2011-10-02 at 08:53 -0700, Eric Shubert wrote:
>>
>>
>> Oct 02 08:21:40 auth: Info: password(gary at domain.com,192.168.252.8):
>> Requested DIGEST-MD5 scheme, but we have only SHA1
>
> Oh. This was vpopmail specific problem. See if this fixes:
> http://hg.dovecot.org/dovecot-2.0/rev/dbd5f9ec38af
>
>
>
Thanks Timo. Two things.
First, I don't think this is a comprehensive fix covering all
situations, though I could be wrong. One problem with it is that if the
password is changed and the plaintext client isn't active, one would
need to wait for the cached plaintext record to expire before being able
to log in with an encoded password. Another problem might be if there
are two separate clients, one using digest-md5 and another using
cram-md5, I think the second one used would still fail. No? I'm not sure
how best to handle any combination of clients and authentication
mechanisms, so I'll leave the solution to your design.
Second and perhaps more importantly, it occurred to me that simply using
%u as the cache key might be a significant security hole. If passwords
are cached using only the user account, what's to prevent someone else,
using another client with the same authentication mechanism at a
different IP address, from gaining access to an account that's cached?
Perhaps I'm not understanding this right, but I think that using %u%r as
the cache key closes this hole, and should probably be recommended in
the documentation.
I could (as always) be totally off base on this, so please explain if
I'm misunderstanding something.
Thanks again, Timo. Great work on dovecot.
--
-Eric 'shubes'
More information about the dovecot
mailing list