Users with multiple password
Eirik Rye
rye at trojka.no
Fri Feb 24 13:45:45 UTC 2017
Hi!
~ dovecot --version
2.2.22 (fe789d2)
I am wondering if there is a way to set up virtual users with multiple
valid passwords. We want to be able to provide users with
device/app-specific passwords for their email accounts, as well as being
able to create temporary "access tokens" for technical support when
required.
I quickly found out that passdb using passwd-file or an sql-backend does
not support returning multiple entries ("Error: passwd-file
/etc/dovecot/virtual.passwd: User rye exists more than once").
The documentation mentions that you can pass the plain-text password on
to the MySQL-server for verification, and I suppose multiple passwords
could could work, given a query like this (pseudo-SQL):
`SELECT password FROM account WHERE user = '%u' AND domain = '%d' AND
password = TO_BASE64((SHA2('%w', 512));`
However, having Dovecot pass the plain-text password and letting the
database deal with the hashing and encoding doesn't seem like a very
"clean" solution. Preferably, dovecot should be the only piece of
software touching the plain-text.
Ideally, I would like the following behavior:
1. passdb results multiple possible hashed passwords for the user
2. dovecot attempts the passwords in order
3. login fails normally if none of the passdb results match
Does anyone have any experience, or tips for setting up this type of
behavior?
Other ideas we have touched upon are:
1. Different usernames (eg. 'user_device' or 'user_application')
2. Multiple passdbs(?)
Best regards,
Eirik Rye
More information about the dovecot
mailing list