[Dovecot] AUTH_USER variable has invalid value in checkpassword Script

dovecot.pkoch at dfgh.net dovecot.pkoch at dfgh.net
Tue Feb 25 23:33:34 UTC 2014


answering my own questions:

> This has somehow changed and now AUTH_USER always
> contains the username. This has fatal consequences as no
> every owner of a valid certificate can logon as any user.

I now use auth_ssl_username_from_cert = yes and this
temporarily fixes my problem. Now if user A authenticates
with his certificate and claims to be user B he will be logged on
as user A. With ssl_username_from_cert = no (default)
he was logged in as User B.

> I'm absolutely sure that the value of the x500UniqueIdentifier
> was stored into the AUTH_USER when I tested my setup
> last year.

If one looks at the source code, in particular routine
env_put_auth_vars() in src/auth/db-checkpassword.c
and routine auth_request_get_var_expand_table() in
src/auth/auth-request.c it is clear, that this has never
worked.

The environemnt variable AUTH_USER always contais
the username (in all Dovecot versions). It dows NOT
contain the Dovecot auth_user-variable. Comparing
AUTH_USER with the username makes no sense in
a checkpassword-script

So here's my next question: How do I find out the original
username from within a chackpassword script after it has
been replaced by the x500UniqueIdentifier value from
a client certificate?

Why is request->requested_login_user == NULL in
env_put_auth_vars(). request->user contains the
x500UniqueIdentifier value from the clients certificate
so the original username was replaced and therefore
should have been moved into request->requested_login_user.

Kind regards

Peter Koch


More information about the dovecot mailing list