[Dovecot] Strange error: DIGEST-MD5 mechanism can't be supported with given passdbs
Hi all,
I have no idea about that message, here is my configuration, what's wrong?
Debian testing, Dovecot 2.0.15
$ doveconf -n # 2.0.15: /etc/dovecot/dovecot.conf # OS: Linux 3.1.0-1-686-pae i686 Debian wheezy/sid auth_default_realm = corp.example.com auth_krb5_keytab = /etc/dovecot.keytab auth_master_user_separator = * auth_mechanisms = gssapi digest-md5 auth_realms = corp.example.com auth_username_format = %n first_valid_gid = 1000 first_valid_uid = 1000 mail_location = mdbox:/srv/mail/%u/Mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes pass = yes } passdb { driver = pam } plugin { sieve = /srv/mail/%u/.dovecot.sieve sieve_dir = /srv/mail/%u/sieve } protocols = " imap lmtp sieve" service auth { unix_listener auth-client { group = Debian-exim mode = 0660 } } ssl_cert =
# cat /etc/dovecot/master-users xxx@corp.example.com:zzzzzzzz
The zzzzz is obtained by "doveadm pw -s digest-md5 -u xxx@corp.example.com", I tried to add prefix "{DIGEST-MD5}" before the generated hash and/or add "scheme=DIGEST-MD5" to the passwd-file passdb's "args" option, both don't help.
The error message: dovecot: master: Dovecot v2.0.15 starting up (core dumps disabled) dovecot: auth: Fatal: DIGEST-MD5 mechanism can't be supported with given passdbs gold dovecot: master: Error: service(auth): command startup failed, throttling
I opened debug auth log, it showed dovecot read /etc/dovecot/master-users and parsed one line, then the error occurred. Doesn't passwd-file passdb support digest-md5 password scheme? If it doesn't support, how do I configure digest-md5 auth mechanism with digest-md5 password scheme for virtual users?
Regards, Yubao Liu
Yubao Liu wrote:
Hi all,
I have no idea about that message, here is my configuration, what's wrong?
You have 2 passdb entries; 1 with a file and 1 with pam. I'm pretty sure PAM doesn't support DIGEST-MD5 authentication. Could be the cause of the problem.
Debian testing, Dovecot 2.0.15
$ doveconf -n # 2.0.15: /etc/dovecot/dovecot.conf # OS: Linux 3.1.0-1-686-pae i686 Debian wheezy/sid auth_default_realm = corp.example.com auth_krb5_keytab = /etc/dovecot.keytab auth_master_user_separator = * auth_mechanisms = gssapi digest-md5 auth_realms = corp.example.com auth_username_format = %n first_valid_gid = 1000 first_valid_uid = 1000 mail_location = mdbox:/srv/mail/%u/Mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes pass = yes } passdb { driver = pam } plugin { sieve = /srv/mail/%u/.dovecot.sieve sieve_dir = /srv/mail/%u/sieve } protocols = " imap lmtp sieve" service auth { unix_listener auth-client { group = Debian-exim mode = 0660 } } ssl_cert =
# cat /etc/dovecot/master-users xxx@corp.example.com:zzzzzzzz
The zzzzz is obtained by "doveadm pw -s digest-md5 -u xxx@corp.example.com", I tried to add prefix "{DIGEST-MD5}" before the generated hash and/or add "scheme=DIGEST-MD5" to the passwd-file passdb's "args" option, both don't help.
The error message: dovecot: master: Dovecot v2.0.15 starting up (core dumps disabled) dovecot: auth: Fatal: DIGEST-MD5 mechanism can't be supported with given passdbs gold dovecot: master: Error: service(auth): command startup failed, throttling
I opened debug auth log, it showed dovecot read /etc/dovecot/master-users and parsed one line, then the error occurred. Doesn't passwd-file passdb support digest-md5 password scheme? If it doesn't support, how do I configure digest-md5 auth mechanism with digest-md5 password scheme for virtual users?
Regards, Yubao Liu
Rgds, N.
On 01/06/2012 06:52 PM, Nick Rosier wrote:
Hi all,
I have no idea about that message, here is my configuration, what's wrong? You have 2 passdb entries; 1 with a file and 1 with pam. I'm pretty sure PAM doesn't support DIGEST-MD5 authentication. Could be the cause of the
Yubao Liu wrote: problem.
Thanks, that does be the cause.
http://hg.dovecot.org/dovecot-2.0/file/684381041dc4/src/auth/auth.c 121 static bool auth_passdb_list_have_lookup_credentials(struct auth *auth) 122 { 123 struct auth_passdb *passdb; 124 125 for (passdb = auth->passdbs; passdb != NULL; passdb = passdb->next) { 126 if (passdb->passdb->iface.lookup_credentials != NULL) 127 return TRUE; 128 } 129 return FALSE; 130 }
I don't know why this function doesn't check auth->masterdbs, if I insert these lines after line 128, that error goes away, and dovecot's imap-login process happily does DIGEST-MD5 authentication [1]. In my configuration, "masterdbs" contains "passdb passwd-file", "passdbs" contains " passdb pam".
for (passdb = auth->masterdbs; passdb != NULL; passdb = passdb->next) { if (passdb->passdb->iface.lookup_credentials != NULL) return TRUE; }
[1] But the authentication for "user*master" always fails, I realized master users can't login as other users by DIGEST-MD5 or CRAM-MD5 auth mechanisms because these authentication mechanisms use "user*master" as username in hash algorithm, not just "master".
Regards, Yubao Liu
Debian testing, Dovecot 2.0.15
$ doveconf -n # 2.0.15: /etc/dovecot/dovecot.conf # OS: Linux 3.1.0-1-686-pae i686 Debian wheezy/sid auth_default_realm = corp.example.com auth_krb5_keytab = /etc/dovecot.keytab auth_master_user_separator = * auth_mechanisms = gssapi digest-md5 auth_realms = corp.example.com auth_username_format = %n first_valid_gid = 1000 first_valid_uid = 1000 mail_location = mdbox:/srv/mail/%u/Mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes pass = yes } passdb { driver = pam } plugin { sieve = /srv/mail/%u/.dovecot.sieve sieve_dir = /srv/mail/%u/sieve } protocols = " imap lmtp sieve" service auth { unix_listener auth-client { group = Debian-exim mode = 0660 } } ssl_cert =
# cat /etc/dovecot/master-users xxx@corp.example.com:zzzzzzzz
The zzzzz is obtained by "doveadm pw -s digest-md5 -u xxx@corp.example.com", I tried to add prefix "{DIGEST-MD5}" before the generated hash and/or add "scheme=DIGEST-MD5" to the passwd-file passdb's "args" option, both don't help.
The error message: dovecot: master: Dovecot v2.0.15 starting up (core dumps disabled) dovecot: auth: Fatal: DIGEST-MD5 mechanism can't be supported with given passdbs gold dovecot: master: Error: service(auth): command startup failed, throttling
I opened debug auth log, it showed dovecot read /etc/dovecot/master-users and parsed one line, then the error occurred. Doesn't passwd-file passdb support digest-md5 password scheme? If it doesn't support, how do I configure digest-md5 auth mechanism with digest-md5 password scheme for virtual users?
Regards, Yubao Liu
Rgds, N.
On Sat, 2012-01-07 at 00:15 +0800, Yubao Liu wrote:
I don't know why this function doesn't check auth->masterdbs, if I insert these lines after line 128, that error goes away, and dovecot's imap-login process happily does DIGEST-MD5 authentication [1]. In my configuration, "masterdbs" contains "passdb passwd-file", "passdbs" contains " passdb pam".
So .. you want DIGEST-MD5 authentication for the master users, but not for anyone else? I hadn't really thought anyone would want that..
On 01/07/2012 12:44 AM, Timo Sirainen wrote:
On Sat, 2012-01-07 at 00:15 +0800, Yubao Liu wrote:
I don't know why this function doesn't check auth->masterdbs, if I insert these lines after line 128, that error goes away, and dovecot's imap-login process happily does DIGEST-MD5 authentication [1]. In my configuration, "masterdbs" contains "passdb passwd-file", "passdbs" contains " passdb pam". So .. you want DIGEST-MD5 authentication for the master users, but not for anyone else? I hadn't really thought anyone would want that..
I hope users use GSSAPI authentication from native MUA, but RoundCube webmail doesn't support that, so that I have to use DIGEST-MD5/CRAM-MD5/ PLAIN/LOGIN for authentication between RoundCube and Dovecot, and let RoundCube login as master user for normal user.
I really don't like to transfer password as plain text, so I prefer DIGEST-MD5 and CRAM-MD5 for both auth mechanisms and password schemes. My last email is partially wrong, DIGEST-MD5 can't be used for master users because 'real_user*master_user' is used to calculate digest in IMAP client, this can't be consistent with digest in passdb because only 'master_user' is used to calculate digest.
But CRAM-MD5 doesn't use user name to calculate digest, I just tried it successfully with my rude patch to src/auth/auth.c in my previous email:-)
# doveadm pw -s CRAM-MD5 -u webmail (use 123456 as passwd) # cat > /etc/dovecot/master-users webmail:{CRAM-MD5}dd59f669267e9bb13d42a1ba57c972c5b13a4b2ae457c9ada8035dc7d8bae41b ^D
$ gsasl --imap imap.corp.example.com --verbose -m CRAM-MD5 -a 'dieken*webmail@corp.example.com' -p 123456 Trying `gold.corp.example.com'...
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5] Dovecot ready. . CAPABILITY
- CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 . OK Pre-login capabilities listed, post-login capabilities have more. . STARTTLS . OK Begin TLS negotiation now. . CAPABILITY
- CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 . OK Pre-login capabilities listed, post-login capabilities have more. . AUTHENTICATE CRAM-MD5
- PDM1OTIzODgxNjgyNzUxMjUuMTMyNTg3MDQwMkBnb2xkPg== ZGlla2VuKndlYm1haWxAY29ycC5leGFtcGxlLmNvbSBkYjRlZWJlMTUwZGZjZjg5NTVkODZhNDBlMGJiZmQzNA==
- CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS Client authentication finished (server trusted)... Enter application data (EOF to finish):
It's also OK to use "-a 'dieken*webmail'" instead of "-a 'dieken*webmail@corp.example.com'.
# doveconf -n # 2.0.15: /etc/dovecot/dovecot.conf # OS: Linux 3.1.0-1-686-pae i686 Debian wheezy/sid auth_debug = yes auth_debug_passwords = yes auth_default_realm = corp.example.com auth_krb5_keytab = /etc/dovecot.keytab auth_master_user_separator = * auth_mechanisms = gssapi digest-md5 cram-md5 auth_realms = corp.example.com auth_username_format = %n auth_verbose = yes auth_verbose_passwords = plain first_valid_gid = 1000 first_valid_uid = 1000 mail_debug = yes mail_location = mdbox:/srv/mail/%u/Mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes } passdb { driver = pam } plugin { sieve = /srv/mail/%u/.dovecot.sieve sieve_dir = /srv/mail/%u/sieve } protocols = " imap lmtp sieve" service auth { unix_listener auth-client { group = Debian-exim mode = 0660 } } ssl_cert =
Regards, Yubao Liu
On 01/07/2012 12:44 AM, Timo Sirainen wrote:
On Sat, 2012-01-07 at 00:15 +0800, Yubao Liu wrote:
I don't know why this function doesn't check auth->masterdbs, if I insert these lines after line 128, that error goes away, and dovecot's imap-login process happily does DIGEST-MD5 authentication [1]. In my configuration, "masterdbs" contains "passdb passwd-file", "passdbs" contains " passdb pam". So .. you want DIGEST-MD5 authentication for the master users, but not for anyone else? I hadn't really thought anyone would want that..
Is there any special reason that master passdb isn't taken into account in src/auth/auth.c:auth_passdb_list_have_lookup_credentials() ? I feel master passdb is also a kind of passdb.
http://wiki2.dovecot.org/PasswordDatabase
You can use multiple databases, so if the password doesn't match in the first database, Dovecot checks the next one. This can be useful if you want to easily support having both virtual users and also local system users (see Authentication/MultipleDatabases http://wiki2.dovecot.org/Authentication/MultipleDatabases).
This is exactly my use case, I use Kerberos for system users, I'm curious why master passdb isn't used to check "have_lookup_credentials" ability.
http://wiki2.dovecot.org/Authentication/MultipleDatabases
Currently the fallback works only with the PLAIN authentication mechanism.
I hope this limitation can be relaxed.
Regards, Yubao Liu
On 6.1.2012, at 19.45, Yubao Liu wrote:
On 01/07/2012 12:44 AM, Timo Sirainen wrote:
On Sat, 2012-01-07 at 00:15 +0800, Yubao Liu wrote:
I don't know why this function doesn't check auth->masterdbs, if I insert these lines after line 128, that error goes away, and dovecot's imap-login process happily does DIGEST-MD5 authentication [1]. In my configuration, "masterdbs" contains "passdb passwd-file", "passdbs" contains " passdb pam". So .. you want DIGEST-MD5 authentication for the master users, but not for anyone else? I hadn't really thought anyone would want that..
Is there any special reason that master passdb isn't taken into account in src/auth/auth.c:auth_passdb_list_have_lookup_credentials() ? I feel master passdb is also a kind of passdb.
I guess it could be changed. It wasn't done intentionally that way.
This is exactly my use case, I use Kerberos for system users, I'm curious why master passdb isn't used to check "have_lookup_credentials" ability
http://wiki2.dovecot.org/Authentication/MultipleDatabases
Currently the fallback works only with the PLAIN authentication mechanism.
I hope this limitation can be relaxed.
It might already be .. I don't remember. In any case you have only PAM passdb, so it shouldn't matter. GSSAPI isn't a passdb.
On 01/07/2012 01:51 AM, Timo Sirainen wrote:
On 6.1.2012, at 19.45, Yubao Liu wrote:
On 01/07/2012 12:44 AM, Timo Sirainen wrote:
On Sat, 2012-01-07 at 00:15 +0800, Yubao Liu wrote:
I don't know why this function doesn't check auth->masterdbs, if I insert these lines after line 128, that error goes away, and dovecot's imap-login process happily does DIGEST-MD5 authentication [1]. In my configuration, "masterdbs" contains "passdb passwd-file", "passdbs" contains " passdb pam". So .. you want DIGEST-MD5 authentication for the master users, but not for anyone else? I hadn't really thought anyone would want that.. Is there any special reason that master passdb isn't taken into account in src/auth/auth.c:auth_passdb_list_have_lookup_credentials() ? I feel master passdb is also a kind of passdb. I guess it could be changed. It wasn't done intentionally that way.
I guess this change broke old way: http://hg.dovecot.org/dovecot-2.0/rev/b05793c609ac
In old version, "auth->passdbs" contains all passdbs, this revision changes "auth->passdbs" to only contain non-master passdbs.
I'm not sure which fix is better or even my proposal is correct or fully: a) in src/auth/auth.c:auth_passdb_preinit(), insert master passdb to auth->passdbs too, and remove duplicate code for masterdbs in auth_init() and auth_deinit().
This is exactly my use case, I use Kerberos for system users, I'm curious why master passdb isn't used to check "have_lookup_credentials" ability http://wiki2.dovecot.org/Authentication/MultipleDatabases
Currently the fallback works only with the PLAIN authentication mechanism. I hope this limitation can be relaxed. It might already be .. I don't remember. In any case you have only PAM passdb, so it shouldn't matter. GSSAPI isn't a passdb. If the fix above is added, then I can use CRAM-MD5 with master
b) add similar code for masterdbs in auth_passdb_list_have_verify_plain(), auth_passdb_list_have_lookup_credentials(), auth_passdb_list_have_set_credentials(). passwd-file passdb and normal pam passdb, else imap-login process can't startup due to check in auth_mech_list_verify_passdb().
Attached two patches against dovecot-2.0 branch for the two schemes, the first is cleaner but may affect other logics in other source files.
Another related question is "pass" option in master passdb, if I set it to "yes", the authentication fails: Jan 7 11:26:00 gold dovecot: auth: Debug: client in: AUTH#0111#011CRAM-MD5#011service=imap#011secured#011lip=127.0.1.1#011rip=127.0.0.1#011lport=143#011rport=51771 Jan 7 11:26:00 gold dovecot: auth: Debug: client out: CONT#0111#011PDk4NjcwMDY1MTU3NzI3MjguMTMyNTkwNjc2MEBnb2xkPg== Jan 7 11:26:00 gold dovecot: auth: Debug: client in: CONT#0111#011ZGlla2VuKndlYm1haWwgYmNkMzFiMWE1YjQ1OWQ0OGRkZWQ4ZmIzZDhmMjVhZTc= Jan 7 11:26:00 gold dovecot: auth: Debug: auth(webmail,127.0.0.1,master): Master user lookup for login: dieken Jan 7 11:26:00 gold dovecot: auth: Debug: passwd-file(webmail,127.0.0.1,master): lookup: user=webmail file=/etc/dovecot/master-users Jan 7 11:26:00 gold dovecot: auth: passdb(webmail,127.0.0.1,master): Master user logging in as dieken Jan 7 11:26:00 gold dovecot: auth: Error: passdb(dieken,127.0.0.1): No passdbs support skipping password verification - pass=yes can't be used in master passdb Jan 7 11:26:00 gold dovecot: auth: Debug: password(dieken,127.0.0.1): passdb doesn't support credential lookups
My normal passdb is a PAM passdb, it doesn't support credential lookups, that's reasonable, but I feel the comment for "pass" option is confusing:
$ less /etc/dovecot/conf.d/auth-master.conf.ext .... # Example master user passdb using passwd-file. You can use any passdb though. passdb { driver = passwd-file master = yes args = /etc/dovecot/master-users
# Unless you're using PAM, you probably still want the destination user to # be looked up from passdb that it really exists. pass=yes does that. pass = yes }
According the comment, it's to check whether the real user exists, why not to check userdb but another passdb? Even it must check against passdb, in this case, it's obvious not necessary to lookup credentials, it's enough to to lookup user name only.
Regards, Yubao Liu
Hi Timo,
Did you review the patches in previous email? I tested two patches against my configuration(pasted in this thread too), they both work well. I prefer the first patch, but I'm not sure whether it breaks something else.
Regards, Yubao Liu
On 01/07/2012 11:36 AM, Yubao Liu wrote:
On 01/07/2012 01:51 AM, Timo Sirainen wrote:
On 6.1.2012, at 19.45, Yubao Liu wrote:
On 01/07/2012 12:44 AM, Timo Sirainen wrote:
On Sat, 2012-01-07 at 00:15 +0800, Yubao Liu wrote:
I don't know why this function doesn't check auth->masterdbs, if I insert these lines after line 128, that error goes away, and dovecot's imap-login process happily does DIGEST-MD5 authentication [1]. In my configuration, "masterdbs" contains "passdb passwd-file", "passdbs" contains " passdb pam". So .. you want DIGEST-MD5 authentication for the master users, but not for anyone else? I hadn't really thought anyone would want that.. Is there any special reason that master passdb isn't taken into account in src/auth/auth.c:auth_passdb_list_have_lookup_credentials() ? I feel master passdb is also a kind of passdb. I guess it could be changed. It wasn't done intentionally that way.
I guess this change broke old way: http://hg.dovecot.org/dovecot-2.0/rev/b05793c609ac
In old version, "auth->passdbs" contains all passdbs, this revision changes "auth->passdbs" to only contain non-master passdbs.
I'm not sure which fix is better or even my proposal is correct or fully: a) in src/auth/auth.c:auth_passdb_preinit(), insert master passdb to auth->passdbs too, and remove duplicate code for masterdbs in auth_init() and auth_deinit().
This is exactly my use case, I use Kerberos for system users, I'm curious why master passdb isn't used to check "have_lookup_credentials" ability http://wiki2.dovecot.org/Authentication/MultipleDatabases
Currently the fallback works only with the PLAIN authentication mechanism. I hope this limitation can be relaxed. It might already be .. I don't remember. In any case you have only PAM passdb, so it shouldn't matter. GSSAPI isn't a passdb. If the fix above is added, then I can use CRAM-MD5 with master
b) add similar code for masterdbs in auth_passdb_list_have_verify_plain(), auth_passdb_list_have_lookup_credentials(), auth_passdb_list_have_set_credentials(). passwd-file passdb and normal pam passdb, else imap-login process can't startup due to check in auth_mech_list_verify_passdb().
Attached two patches against dovecot-2.0 branch for the two schemes, the first is cleaner but may affect other logics in other source files.
Another related question is "pass" option in master passdb, if I set it to "yes", the authentication fails: Jan 7 11:26:00 gold dovecot: auth: Debug: client in: AUTH#0111#011CRAM-MD5#011service=imap#011secured#011lip=127.0.1.1#011rip=127.0.0.1#011lport=143#011rport=51771 Jan 7 11:26:00 gold dovecot: auth: Debug: client out: CONT#0111#011PDk4NjcwMDY1MTU3NzI3MjguMTMyNTkwNjc2MEBnb2xkPg== Jan 7 11:26:00 gold dovecot: auth: Debug: client in: CONT#0111#011ZGlla2VuKndlYm1haWwgYmNkMzFiMWE1YjQ1OWQ0OGRkZWQ4ZmIzZDhmMjVhZTc= Jan 7 11:26:00 gold dovecot: auth: Debug: auth(webmail,127.0.0.1,master): Master user lookup for login: dieken Jan 7 11:26:00 gold dovecot: auth: Debug: passwd-file(webmail,127.0.0.1,master): lookup: user=webmail file=/etc/dovecot/master-users Jan 7 11:26:00 gold dovecot: auth: passdb(webmail,127.0.0.1,master): Master user logging in as dieken Jan 7 11:26:00 gold dovecot: auth: Error: passdb(dieken,127.0.0.1): No passdbs support skipping password verification - pass=yes can't be used in master passdb Jan 7 11:26:00 gold dovecot: auth: Debug: password(dieken,127.0.0.1): passdb doesn't support credential lookups
My normal passdb is a PAM passdb, it doesn't support credential lookups, that's reasonable, but I feel the comment for "pass" option is confusing:
$ less /etc/dovecot/conf.d/auth-master.conf.ext .... # Example master user passdb using passwd-file. You can use any passdb though. passdb { driver = passwd-file master = yes args = /etc/dovecot/master-users
# Unless you're using PAM, you probably still want the destination user to # be looked up from passdb that it really exists. pass=yes does that. pass = yes }
According the comment, it's to check whether the real user exists, why not to check userdb but another passdb? Even it must check against passdb, in this case, it's obvious not necessary to lookup credentials, it's enough to to lookup user name only.
Regards, Yubao Liu
On 7.1.2012, at 5.36, Yubao Liu wrote:
In old version, "auth->passdbs" contains all passdbs, this revision changes "auth->passdbs" to only contain non-master passdbs.
I'm not sure which fix is better or even my proposal is correct or fully: a) in src/auth/auth.c:auth_passdb_preinit(), insert master passdb to auth->passdbs too, and remove duplicate code for masterdbs in auth_init() and auth_deinit().
Not a good idea. The master passdb needs to be treated specially, otherwise you might accidentally allow regular users logging in as other users.
b) add similar code for masterdbs in auth_passdb_list_have_verify_plain(), auth_passdb_list_have_lookup_credentials(), auth_passdb_list_have_set_credentials().
Kind of annoying code duplication, but .. I guess it can't really be helped. Added: http://hg.dovecot.org/dovecot-2.0/rev/bed15faedfd4
Another related question is "pass" option in master passdb, if I set it to "yes", the authentication fails: .. My normal passdb is a PAM passdb, it doesn't support credential lookups, that's reasonable,
Right.
but I feel the comment for "pass" option is confusing:
# Unless you're using PAM, you probably still want the destination user to # be looked up from passdb that it really exists. pass=yes does that. pass = yes }
According the comment, it's to check whether the real user exists, why not to check userdb but another passdb?
Well.. It is going to check userdb eventually anyway, so it would still fail, just a bit later and maybe with different error message.
Even it must check against passdb, in this case, it's obvious not necessary to lookup credentials, it's enough to to lookup user name only.
There's currently no passdb that supports "does user exist?" lookup, but doesn't support credentials lookup, so this is more of a theoretical issue. (I guess maybe PAM could be abused in some configurations to do the check, but that's rather ugly..)
On Tue, Jan 10, 2012 at 2:59 AM, Timo Sirainen tss@iki.fi wrote:
On 7.1.2012, at 5.36, Yubao Liu wrote:
In old version, "auth->passdbs" contains all passdbs, this revision changes "auth->passdbs" to only contain non-master passdbs.
I'm not sure which fix is better or even my proposal is correct or fully: a) in src/auth/auth.c:auth_passdb_preinit(), insert master passdb to auth->passdbs too, and remove duplicate code for masterdbs in auth_init() and auth_deinit().
Not a good idea. The master passdb needs to be treated specially, otherwise you might accidentally allow regular users logging in as other users.
Sorry I don't understand well. This scheme adds all master dbs to auth->passdbs, auth->masterdbs are not changed and still contains only master users. I guess dovecot lookups auth->masterdbs for master users and auth->passdbs for regular users, regular users don't know master users' passwords so they can't login as other users.
http://wiki2.dovecot.org/Authentication/MasterUsers The "Example configuration" already shows master user account can be added to auth->passdbs too.
This scheme does bring unexpected issue, the master users can't have separate passwords for regular login as themselves(because masterdbs are also added to passdbs), the risk of password leak increases much, but I don't think it's a good practice to do regular login with master user account.
Quoted from same wiki page(I really enjoy the wonderful Dovecot wiki, it's the most well organized and documented wiki in open source projects, thank you very much!): "If you want master users to be able to log in as themselves, you'll need to either add the user to the normal passdb or add the passdb to dovecot.conf twice, with and without master=yes. Note that if the passdbs point to different locations, the user can have a different password when logging in as other users than when logging in as himself. This is a good idea since it can avoid accidentally logging in as someone else. "
Anyway, the scheme B is much less risky and much simple, just a little annoying code duplication:-)
b) add similar code for masterdbs in auth_passdb_list_have_verify_plain(), auth_passdb_list_have_lookup_credentials(), auth_passdb_list_have_set_credentials().
Kind of annoying code duplication, but .. I guess it can't really be helped. Added: http://hg.dovecot.org/dovecot-2.0/rev/bed15faedfd4
Thank you very much, I don't have to maintain my private package:-)
Another related question is "pass" option in master passdb, if I set it to "yes", the authentication fails: .. My normal passdb is a PAM passdb, it doesn't support credential lookups, that's reasonable,
Right.
but I feel the comment for "pass" option is confusing:
# Unless you're using PAM, you probably still want the destination user to # be looked up from passdb that it really exists. pass=yes does that. pass = yes }
According the comment, it's to check whether the real user exists, why not to check userdb but another passdb?
Well.. It is going to check userdb eventually anyway, so it would still fail, just a bit later and maybe with different error message.
If Dovecot doesn't check password for the real user against passdb (actually it doesn't have the password of real user because it's doing master user proxy authorization), it won't fail on userdb lookup because the userdb does contain the real user, in my case, the real user is system user and absolutely exists.
Even it must check against passdb, in this case, it's obvious not necessary to lookup credentials, it's enough to to lookup user name only.
There's currently no passdb that supports "does user exist?" lookup, but doesn't support credentials lookup, so this is more of a theoretical issue. (I guess maybe PAM could be abused in some configurations to do the check, but that's rather ugly..)
I don't understand why master user proxy authorization in Dovecot has to check real user against his credential, does that mean "user*master" has to authenticate twice? one for master, one for user, but often client can't provide two passwords in single login and the regular passdb such as PAM passdb doesn't support credentials lookup. So I feel it's better Dovecot checks only destination user names in passdbs or userdbs after master user authentication part succeeds to decide whether the destination user exists, just as the comment for "pass=yes" describes.
This may not be a bug, IMHO just a confusing feature.
Regards, Yubao Liu
participants (4)
-
Liu Yubao
-
Nick Rosier
-
Timo Sirainen
-
Yubao Liu