Re: Dovecot + Weakforced Policy server

Hi!

You configure it like this:

auth_policy_server_url = http://localhost:8084/ auth_policy_hash_nonce = some random string auth_policy_server_api_header = "Authorization: Basic d2ZvcmNlOkJydHpUNlRuTkZ4UUU="

the authorization blob is basically

printf 'wforce:super' | base64

Aki

On 16 January 2019 at 10:06 alberto bersol alberto@bersol.info wrote:

Hi, I'm trying to set Weakforced with Dovecot and I cannot log in policy server. This is the config:

/root/weakforced/wforce/wforce.conf

... webserver("0.0.0.0:8084", "super") ...

/etc/dovecot/conf.d/95-policy.conf

auth_policy_server_url = http://localhost:8084/ #auth_policy_hash_nonce = wforce:super auth_policy_hash_nonce = {SHA256-CRYPT}$5$Ue5UrToV.Bam02bQ$Bi9OJ62Mkgc20L2HnLVmD2OCHyXaKje6Hh7qNjnOkB9

I'm following the instructions of Dovecot's wiki: https://wiki.dovecot.org/Authentication/Policy ... "To generate the hash, you concatenate nonce, login name, nil byte, password and run it through the hash algorithm once. The hash is truncated when truncation is set to non-zero. The hash is truncated by first choosing bits from MSB to byte boundary (rounding up), then right-shifting the remainding bits.

hash = H(nonce||user||'\x00'||password) bytes = round8(bits*8) hash = HEX(hash[0:bytes] >> (bytes-bits*8))

And I set hash with password (super) in this way:

vm-weakforced:~# doveadm pw -p noncewforce\x00super -s SHA256-CRYPT {SHA256-CRYPT}$5$ZWIX2dnU7NJvGHgC$hYFbeCCaHYZv0yPP80GHygxQMPmI5BjMx2ttRe9zti2

But if I log in Dovecot Server:

vm-weakforced:~# doveadm auth login usuario Password: passdb: usuario auth succeeded extra fields: user=usuario

userdb extra fields: usuario system_groups_user=usuario uid=1000 gid=1000 home=/home/usuario

Answer of Weakforced is always "...authentication failed":

WforceWebserver: HTTP Request "/" from 127.0.0.1:39720: Web Authentication failed

And Dovecot logs don't show anything else: ... Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: auth client connected (pid=967) Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=doveadm#011resp=dXN1YXJpbwB1c3VhcmlvAHVzdWFyaW8= (previous base64 data may contain sensitive data) Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: policy(usuario): Policy request http://localhost:8084/?command=allow Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: policy(usuario): Policy server request JSON: {"device_id":"","login":"usuario","protocol":"doveadm","pwhash":"0a00","remote":"","tls":false} Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: queue http://localhost:8084: Set request timeout to 2019-01-15 16:50:52.236 (now: 2019-01-15 16:50:50.236) Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client: peer 127.0.0.1:8084 (shared): Peer created Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client: peer 127.0.0.1:8084: Peer pool created Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: peer 127.0.0.1:8084: Peer created Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: queue http://localhost:8084: Setting up connection to 127.0.0.1:8084 (1 requests pending) Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: peer 127.0.0.1:8084: Linked queue http://localhost:8084 (1 queues linked) Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: queue http://localhost:8084: Started new connection to 127.0.0.1:8084 Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: request [Req4: POST http://localhost:8084/?command=allow]: Submitted (requests left=1) Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: peer 127.0.0.1:8084: Creating 1 new connections to handle requests (already 0 usable, connecting to 0, closing 0) Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: peer 127.0.0.1:8084: Making new connection 1 of 1 (0 connections exist, 0 pending) Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: conn 127.0.0.1:8084 [2]: (127.0.0.1:8084): Connecting Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: conn 127.0.0.1:8084 [2]: (127.0.0.1:8084): Waiting for connect (fd=20) to finish for max 0 msecs Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: conn 127.0.0.1:8084 [2]: HTTP connection created (1 parallel connections exist) Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: conn 127.0.0.1:8084 [2]: (127.0.0.1:8084): Client connected (fd=20) Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: conn 127.0.0.1:8084 [2]: Connected Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: conn 127.0.0.1:8084 [2]: Ready for requests Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: peer 127.0.0.1:8084: Successfully connected (1 connections exist, 0 pending) Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client: peer 127.0.0.1:8084: Successfully connected (1 connections exist, 0 pending) Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: peer 127.0.0.1:8084: Using 1 idle connections to handle 1 requests (1 total connections ready) Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: queue http://localhost:8084: Connection to peer 127.0.0.1:8084 claimed request [Req4: POST http://localhost:8084/?command=allow] Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: conn 127.0.0.1:8084 [2]: Claimed request [Req4: POST http://localhost:8084/?command=allow] Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: request [Req4: POST http://localhost:8084/?command=allow]: Sent header Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: request [Req4: POST http://localhost:8084/?command=allow]: Send more (sent 95, buffered=303) Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: request [Req4: POST http://localhost:8084/?command=allow]: Finished sending payload Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: peer 127.0.0.1:8084: No more requests to service for this peer (1 connections exist, 0 pending) Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: conn 127.0.0.1:8084 [2]: Got 401 response for request [Req4: POST http://localhost:8084/?command=allow] (took 4 ms + 3 ms in queue) Jan 15 16:50:50 vm-weakforced dovecot: auth: Error: policy(usuario): Policy server HTTP error: 401 Unauthorized Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: conn 127.0.0.1:8084 [2]: Response payload stream destroyed (0 ms after initial response) Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: request [Req4: POST http://localhost:8084/?command=allow]: Finished Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: queue http://localhost:8084: Dropping request [Req4: POST http://localhost:8084/?command=allow] Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: request [Req4: POST http://localhost:8084/?command=allow]: Free (requests left=1) Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: peer 127.0.0.1:8084: No requests to service for this peer (1 connections exist, 0 pending) Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: conn 127.0.0.1:8084 [2]: No more requests queued; going idle (timeout = 10000 msecs) ...

Any idea?

Thank you so much Regards,