Custom SASL authentication
David Koski
dkoski at sutinen.com
Thu Apr 6 21:58:47 UTC 2023
Fixing to not top post.
On 3/18/23 10:07, Aki Tuomi wrote:
>> On 18/03/2023 00:44 EET David Koski <dkoski at sutinen.com> wrote:
>> Hello,
>> I'm looking for a good way to apply a custom hash to passwords. My hope
>> is to add passwords to a (MySQL) database: INSERT INTO users
>> (user='joblo', pass=MYHASH('plain-password')..
>> For SASL authentication, my thought first was to apply the same hash to
>> the issued password and compare it with the hashed password in the
>> database. I soon discovered the sql driver supplied by Dovecot doesn't
>> provide that ability, unless I'm missing something.
>> I'm looking for documentation on how to implement a custom
>> authentication script if needed.
>> Regards,
>> David Koski
>> dkoski at sutinen.com
> Hi David, see
> https://doc.dovecot.org/configuration_manual/authentication/lua_based_authentication/
> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fdoc.dovecot.org%2fconfiguration_manual%2fauthentication%2flua_based_authentication%2f&c=E,1,9ey3vCELwieYk48TYCRIc3sTP0NX6IAzpNYTi7oYlL4_KJcx8IMijlRF7zmvrRU1DN9FriQm24ek0MdzT44auq5mqvOhpVhQSHsjmUvBjF54WhW0tgDC&typo=1&ancr_add=1>
> on how to implement custom authentication.
> For verifying password you could use MYHASH('%w') in your passdb sql
> lookup. You need to include `'Y' as nopassword` in this case, and this
> will cause wrong password to become unknown user error.
> Aki
I have done some testing and found the following queries to work for
implementing MySQL SHA2 passwords for authentication:
1 user_query:
2
3 SELECT
4 email AS user,
5 if (
6 (select crypt & 1 from view_users where email='%u'),
7 (select password from view_users where email='%u' and
password=SHA2('%w',512)),
8 (select password from view_users where email='%u' and
password='%w')
9 ) as password,
10 '/var/lib/vmail/%d/%n' AS home,
11 'maildir:/var/lib/vmail/%d/%n/Maildir' AS mail,
12 5000 AS uid,
13 5000 AS gid
14 FROM
15 view_users
16 WHERE
17 email = '%u' AND enable = '1'
18
19
20 password_query:
21
22 SELECT
23 email AS user,
24 if (
25 (select crypt & 1 from view_users where email='%u'),
26 (select password from view_users where email='%u' and
password=SHA2('%w',512)),
27 (select password from view_users where email='%u' and
password='%w')
28 ) as password
29 FROM
30 view_users
31 WHERE
32 email = '%u' AND enable = '1'
But it seems wasteful in the number of queries required. Looking for
ideas to consolidate queries.
Also, do the Dovecot query strings have to be s single query or can
there be a query to set a variable, for example, to use in subsequent
queries?
Regards,
David Koski
dkoski at sutinen.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20230406/66457c06/attachment.htm>
More information about the dovecot
mailing list