can't authenticate

Fri Jan 28 10:05:46 UTC 2022

Hello

Am 27.01.22 um 17:37 schrieb David Matthews:
> hi Christian
> 
>> Did the password hash algorithm change between devuan 3 and 4? You
>> can check that in your /etc/shadow file.
> 
> As I understand, devuan is pretty much debian without systemd? And
> that if you were prepared to do a fair bit of work you could start
> with debian installed, hack it about and end up with something like
> devuan?
> 
> I doubt devuan has done anything to deviate from debian at this level
> and both machines were recently dist-upgraded. Dovecot needed no
> tinkering with at all on the debian machine.
> 

I never used devuan, so I can not comment on its upgrade strategies.

The default in Debian has changed, but on an dist-upgrade they are not
changed automatically.
This would not be possible anyway, as you need the original password for
generating the new hash.
But you could enforce the user to change it on the next login.

The hash algorithm changes, when you set a new or other password.
Check also release notes of Bulseye:
https://www.debian.org/releases/stable/amd64/release-notes/ch-information.de.html#pam-default-password

>> The start of the password field should be the same something like
>> $6$...
>> 
> 
> Yes it is on devuan 4. I no longer have anything with devuan 3 to
> check that, but it shouldn't have changed in a dist-upgrade?
> Interestingly, although it's the same user and password on both
> machines, I notice that the hashes in /etc/shadow are not identical
> after the commencing $6$. But then I don't know how these hashes are
> derived, so maybe that is not unexpected?
> 

So the password algorithm didn't change.

$6$ is still the old one SHA-512.
The hashes are different between machines, as they are salted.
The salt is stored after $6$ up till the next $ sign.
As the salt differs, the hash has to be different.
Thats what salts are made for :-)

So you only can increase the logging in dovecot for authentication to
debugging.
auth_debug=yes

Perhaps you also want to set
auth_debug_passwords=yes
for getting the actual password in plain text.
(Don't forget to disable that afterwards!)

Kind regards,
Christian Mack

-- 
Christian Mack
Universität Konstanz
Kommunikations-, Informations-, Medienzentrum (KIM)
Abteilung IT-Dienste Forschung und Lehre
78457 Konstanz
+49 7531 88-4416

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5351 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://dovecot.org/pipermail/dovecot/attachments/20220128/23ccca7d/attachment-0001.bin>