[Dovecot] cram-md5 and users maintaining their own passwords?
Is there any other mechanism than using passwd files with md5-hashed passwords created by dovecotpw that will support cram-md5 authentication?
Has anyone created setups where the passwd databases reside in the individual users home directories?
Is it possible to persuade dovecotpw to update the passwd databases automatically. Having to use a text editor to paste in the passwords sets a high user treshold on using the cram-md5 authentication mechanism.
Thanx!
- Steinar
Steinar Bang sb@dod.no:
Is there any other mechanism than using passwd files with md5-hashed passwords created by dovecotpw that will support cram-md5 authentication?
It would have been really neat if there had been a pam_crammd5.so that worked similar to pam_smbpass.so, i.e. stored an md5 hash version of the password, when it was changed.
On Fri, 2008-09-12 at 20:17 +0200, Steinar Bang wrote:
Is there any other mechanism than using passwd files with md5-hashed passwords created by dovecotpw that will support cram-md5 authentication?
You can use any "Lookup database" as listed in http://wiki.dovecot.org/PasswordDatabase
Has anyone created setups where the passwd databases reside in the individual users home directories?
passdb passwd-file { passwd-file = /home/%u/dovecot.passwd }
The performance might not be that great though since it'll have to open a lot of files. Also Dovecot never closes passwd files it has opened, so this method won't work if you have a lot of users (I guess a few hundred is still ok).
Is it possible to persuade dovecotpw to update the passwd databases automatically. Having to use a text editor to paste in the passwords sets a high user treshold on using the cram-md5 authentication mechanism.
Currently Dovecot is internally able to update passwords only in SQL database. But dovecotpw can't currently update even that. Maybe some day.
Timo Sirainen tss@iki.fi:
On Fri, 2008-09-12 at 20:17 +0200, Steinar Bang wrote:
Is there any other mechanism than using passwd files with md5-hashed passwords created by dovecotpw that will support cram-md5 authentication?
You can use any "Lookup database" as listed in http://wiki.dovecot.org/PasswordDatabase
But that includes passwd and shadow, and I thought they couldn't be used, even with md5 hashing of the passwords, because the md5 hash used was different to the one of cram-md5?
If I can use the normal passwd/shadow of the system, that would be exactly what I want.
Has anyone created setups where the passwd databases reside in the individual users home directories?
passdb passwd-file { passwd-file = /home/%u/dovecot.passwd }
Ok. Thanx.
The performance might not be that great though since it'll have to open a lot of files. Also Dovecot never closes passwd files it has opened, so this method won't work if you have a lot of users (I guess a few hundred is still ok).
Ok, the machine will only everl serve 3-10 users (it's my home LAN server), so that would probably never be a problem.
But if I actually can use the normal passwd of the machine, then all of this is a non-issue.
Thanx!
On Sat, 2008-09-13 at 14:48 +0200, Steinar Bang wrote:
Timo Sirainen tss@iki.fi:
On Fri, 2008-09-12 at 20:17 +0200, Steinar Bang wrote:
Is there any other mechanism than using passwd files with md5-hashed passwords created by dovecotpw that will support cram-md5 authentication?
You can use any "Lookup database" as listed in http://wiki.dovecot.org/PasswordDatabase
But that includes passwd and shadow, and I thought they couldn't be used, even with md5 hashing of the passwords, because the md5 hash used was different to the one of cram-md5?
If I can use the normal passwd/shadow of the system, that would be exactly what I want.
You can use shadow, but only if you can put the passwords there as {cram-md5}password. That of course means that only Dovecot is able to use such passwords. Also you can't modify the passwords with passwd utility because it doesn't write compatible passwords. Maybe I should mention this in the wiki page. :)
Timo Sirainen tss@iki.fi:
You can use shadow, but only if you can put the passwords there as {cram-md5}password. That of course means that only Dovecot is able to use such passwords. Also you can't modify the passwords with passwd utility because it doesn't write compatible passwords.
Ah... which means that in practice I can't...;-)
Maybe I should mention this in the wiki page. :)
Indeed! :-)
On Fri, 2008-09-12 at 20:17 +0200, Steinar Bang wrote:
Is it possible to persuade dovecotpw to update the passwd databases automatically. Having to use a text editor to paste in the passwords sets a high user treshold on using the cram-md5 authentication mechanism.
You can of course create your own wrapper script to dovecotpw to do that..
Timo Sirainen tss@iki.fi:
On Fri, 2008-09-12 at 20:17 +0200, Steinar Bang wrote:
Is it possible to persuade dovecotpw to update the passwd databases automatically. Having to use a text editor to paste in the passwords sets a high user treshold on using the cram-md5 authentication mechanism.
You can of course create your own wrapper script to dovecotpw to do that..
That I can, but I wanted to make sure I didn't overlook something.
Another thing is that I'd rather avoid making a script be sudo root, if I can (but of course splitting the passwd files would be a way to avoid that).
participants (2)
-
Steinar Bang
-
Timo Sirainen