On 15/12/2023 18:56, Max Nikulin wrote:
On 14/12/2023 18:01, Aki Tuomi via dovecot wrote:
You can set service auth and service auth-worker vsz_limit to 2G, that is usually enough for PAM and Argon2.
Thank you. In my first message I wrote that 1G was enough in my case.
Actually 1G sometimes is not enough. Thunderbird with its multiple parallel connections created simultaneously may be quite successful in making authentication failures rather annoying.
I have not seen failure with "vsz_limit = 2G" yet.
It appears just like incorrect passwords in logs mixed with successful authentications.
12:33:23 dovecot[4299]: auth-worker(4449): Debug: conn unix:auth-worker (pid=4307,uid=114): auth-worker<1>: pam(test,127.0.0.1,<JPhaBWMN8Jp/AAAB>): #1/1 style=1 msg=Password: 12:33:23 auth[4449]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=test rhost=127.0.0.1 user=test 12:33:24 dovecot[4299]: auth-worker(4449): conn unix:auth-worker (pid=4307,uid=114): auth-worker<1>: pam(test,127.0.0.1,<JPhaBWMN8Jp/AAAB>): pam_authenticate() failed: Authentication failure (Password mismatch?)
Earlier I believed that I know another (inconvenient) workaround: edit /etc/pam.d/dovecot to put content of common-auth and common-session literally and disabling pam_fscrypt.so specifically for dovecot. Unfortunately it does not work. Auth worker still loads pam_fscrypt.so from common-password through some other config file. Even if debug is enabled for pam_fscrypt.so, this library generates no output for both successful and failed authentication attempts. On the other hand I can get debug output from "auth optional pam_fscrypt.so debug".
I have no idea what piece of code (Go runtime, Dovecot, https://github.com/google/fscrypt) causes silent errors leading to authentication failures. It is disappointing since Go+fscrypt should be no-op in this case.