Users with multiple password

Eirik Rye rye at trojka.no
Fri Feb 24 13:45:45 UTC 2017


Hi!

~ dovecot --version
2.2.22 (fe789d2)

I am wondering if there is a way to set up virtual users with multiple 
valid passwords. We want to be able to provide users with 
device/app-specific passwords for their email accounts, as well as being 
able to create temporary "access tokens" for technical support when 
required.

I quickly found out that passdb using passwd-file or an sql-backend does 
not support returning multiple entries ("Error: passwd-file
/etc/dovecot/virtual.passwd: User rye exists more than once").

The documentation mentions that you can pass the plain-text password on 
to the MySQL-server for verification, and I suppose multiple passwords 
could could work, given a query like this (pseudo-SQL):

`SELECT password FROM account WHERE user = '%u' AND domain = '%d' AND 
password = TO_BASE64((SHA2('%w', 512));`

However, having Dovecot pass the plain-text password and letting the 
database deal with the hashing and encoding doesn't seem like a very 
"clean" solution. Preferably, dovecot should be the only piece of 
software touching the plain-text.

Ideally, I would like the following behavior:

1. passdb results multiple possible hashed passwords for the user
2. dovecot attempts the passwords in order
3. login fails normally if none of the passdb results match

Does anyone have any experience, or tips for setting up this type of 
behavior?

Other ideas we have touched upon are:

1. Different usernames (eg. 'user_device' or 'user_application')
2. Multiple passdbs(?)

Best regards,
Eirik Rye


More information about the dovecot mailing list