[Dovecot] SSL Certificate Authentication
Hi Guys,
I am using the SSL Client Certificate authentication method for my Dovecot instance, however rather then just requiring the client certificate it also prompts me for my user password.
My certificate was securely generated on a smart card and is passphrase protected so I would like to stop having to enter my certificate passphrase and my user password to collect my mail. Where abouts in the config file can I resolve this issue?
Cheers,
Tony Davies
On 12/17/2008, Anthony Davies (anthony.davies@phoenixphire.org) wrote:
My certificate was securely generated on a smart card and is passphrase protected so I would like to stop having to enter my certificate passphrase and my user password to collect my mail. Where abouts in the config file can I resolve this issue?
generate a certificate without a password.
You can't generate one with a pssword without it prompting you for the password - otherwise it defeats the purpose of the password.
--
Best regards,
Charles
Hi Charles,
Sorry, my statement wasnt clear. I want/have to be prompted for the passphrase on my certificate, its the password to check against my system authentication mechanism I want to disable, ie /etc/shadow. I want certificate only authentication where as at present it is certificate and system authentication.
Cheers,
Tony
Charles Marcus wrote:
On 12/17/2008, Anthony Davies (anthony.davies@phoenixphire.org) wrote:
My certificate was securely generated on a smart card and is passphrase protected so I would like to stop having to enter my certificate passphrase and my user password to collect my mail. Where abouts in the config file can I resolve this issue?
generate a certificate without a password.
You can't generate one with a pssword without it prompting you for the password - otherwise it defeats the purpose of the password.
On 12/17/2008, Anthony Davies (anthony.davies@phoenixphire.org) wrote:
Sorry, my statement wasnt clear. I want/have to be prompted for the passphrase on my certificate, its the password to check against my system authentication mechanism I want to disable, ie /etc/shadow. I want certificate only authentication where as at present it is certificate and system authentication.
Oh, right, sorry... :)
In that case, dovecot -n output?
--
Best regards,
Charles
What you really want is the "AUTH EXTERNAL" authentication mechanism. This would authenticate your users based on the used certificate. Unfortunately, this mechanism is not supported in dovecot as well as in most clients. Courier supports it since some months if you really need it.
There's no way in dovecot to use no password, but there's one to use any password: Your password database has to return the field "nopassword", value
- But you should consider that this means that your users can impersonate any other user on your mailserver as the SSL certificate here only controls access, but not identity.
-----Original Message----- From: dovecot-bounces+siebert+lists=et.rub.de@dovecot.org [mailto:dovecot-bounces+siebert+lists=et.rub.de@dovecot.org] On Behalf Of Anthony Davies Sent: Thursday, December 18, 2008 12:27 AM To: dovecot@dovecot.org Subject: [Dovecot] SSL Certificate Authentication
Hi Guys,
I am using the SSL Client Certificate authentication method for my Dovecot instance, however rather then just requiring the client certificate it also prompts me for my user password.
My certificate was securely generated on a smart card and is passphrase protected so I would like to stop having to enter my certificate passphrase and my user password to collect my mail. Where abouts in the config file can I resolve this issue?
Cheers,
Tony Davies
On 353, 12 18, 2008 at 01:13:27PM +0100, Thomas Siebert wrote:
What you really want is the "AUTH EXTERNAL" authentication mechanism. This would authenticate your users based on the used certificate. Unfortunately, this mechanism is not supported in dovecot as well as in most clients. Courier supports it since some months if you really need it.
What widespread mail clients support EXTERNAL ? BTW it's trivial to implement it dovecot if there is a real demand.
There's no way in dovecot to use no password, but there's one to use any password: Your password database has to return the field "nopassword", value
- But you should consider that this means that your users can impersonate any other user on your mailserver as the SSL certificate here only controls access, but not identity.
That's not true. Look at ssl_username_from_cert and ssl_cert_username_field configuration parameters.
-----Original Message----- From: dovecot-bounces+siebert+lists=et.rub.de@dovecot.org [mailto:dovecot-bounces+siebert+lists=et.rub.de@dovecot.org] On Behalf Of Anthony Davies Sent: Thursday, December 18, 2008 12:27 AM To: dovecot@dovecot.org Subject: [Dovecot] SSL Certificate Authentication
Hi Guys,
I am using the SSL Client Certificate authentication method for my Dovecot instance, however rather then just requiring the client certificate it also prompts me for my user password.
My certificate was securely generated on a smart card and is passphrase protected so I would like to stop having to enter my certificate passphrase and my user password to collect my mail. Where abouts in the config file can I resolve this issue?
Cheers,
Tony Davies
participants (4)
-
Andrey Panin
-
Anthony Davies
-
Charles Marcus
-
Thomas Siebert