bug: ARGON2 hash selection incompatible with LDAP
Aki Tuomi
aki.tuomi at open-xchange.com
Fri Nov 25 07:29:25 UTC 2022
> On 15/11/2022 14:55 EET Aki Tuomi <aki.tuomi at open-xchange.com> wrote:
>
>
> > On 15/11/2022 14:45 EET Krisztián Szegi <oni-dono at mszk.eu> wrote:
> >
> >
> > Good day to all,
> >
> > this is my first post to the mailing list!
> >
> > I'd like to report that non-binding auth to (Open)LDAP doesn't work if the latter hashes passwords with ARGON2.
> >
> > Although dovecot (I am using http://2.3.19.1) does support ARGON2 with libsodium, but it doesn't recoginize hashes beginning "{ARGON2}$argon2id$" stored (and hashed, using ppolicy module's hashCleartext) by OpenLDAP.
> >
> > Now, I understand that ARGON2I, -D, and -ID are not compatible, but the ACTUAL algorithm is there between the two $.
> > Furthermore, I think dovecot is in the minority here, I haven't met any software that specifies the ARGON2 subtype between {}.
> > BTW, I haven't met any software that hashes passwords with ARGON2, but not with the ARGON2ID subtype (where libsodium is available, which also seems to be the standard here), as THAT is the recommended one anyway.
> >
> > I patched the rpm in OpenSUSE repo to alias {ARGON2} to {ARGON2ID}:
> > https://build.opensuse.org/package/view_file/home:Samonitari:branches:openSUSE:Factory/dovecot23/dovecot-2.3.0-alias_ARGON2_to_ARGON2ID.patch
> >
> > Could we get something like this (but maybe more correct) into the official source?
> > Maybe a config switch to alias it runtime?
> >
> > Thanks for the attention:
> > Krisztián
>
> Hi!
>
> Thanks for your report. I think it makes sense, we'll see what we can do about this.
>
> Aki
This has been fixed in https://github.com/dovecot/core/commit/6e3239d8fbe33f96352d24a563a0c7595d29dca9
Regards,
Aki Tuomi
More information about the dovecot
mailing list