Multiple passwords for a user (SQL)
Hi everyone,
I'm not sure if this has been discuessed already as I coun't find anything in the archives - maybe I'm looking for the wrong thing.
I want to build something similar to googles "app passwords" where your use a different password (strong, auto generated) for each device / app. In general I think this is pretty easy on the database side as I just need a password table and link say the passwords with an user_id to the corresponding user in the users table - one use has many passwords (1:n). for dovecot this means that it will get multiple rows with passwords back from the "password_query". is there a way to tell dovecot to check all those returned passwords and "pass" the request if one of those passwords match?
thank you, best regards Marco
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 6 Oct 2014, Marco Fretz wrote:
corresponding user in the users table - one use has many passwords (1:n). for dovecot this means that it will get multiple rows with passwords back from the "password_query". is there a way to tell dovecot to check all those returned passwords and "pass" the request if one of those passwords match?
I think no, but you could craft a PAM module and use the pam passdb or supply a checkpassword script:
http://wiki2.dovecot.org/PasswordDatabase
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBVDKCaHz1H7kL/d9rAQLIAgf/do+D2ZVWBOaAbFB9Vv6SyYQ3mdzI19B7 hGZw3NlVpd1XAtSzb6r2zNardtH0Z/q2LvP71WjSFt5LQL4mye/N1LPsz0n8CoCf 0Vzhudo/WVUZts3W30cr6bfVnjJwfoXbhNjCKjK+evY5C6bt+q5YTGbNkCmgAMGC 2Lc0aFVkA12beSWydtjfUf3tkqXTXr8bJIoaCIuPd9YneZZX+p5b0n99MrToQwC8 WfVwogG6FEXiV7FbAcG+kMzYSB9+gIuMyFPqIr5HNVaGcjkF4PySuDHGMBbyQ8yw 9xPpR/xJ6kf6lnl76db0RJTGua42Szvv9tTu1RE4gDXWq8MepwkoNQ== =24Co -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Thank you Steffen,
This sounds like a plan. checkpassword looks quite simple to use and I could still use default userdb with dovecot-sql for userhome, quota, etc. I'll give this a try.
thanks Marco
Am 06.10.2014 13:52, schrieb Steffen Kaiser:
On Mon, 6 Oct 2014, Marco Fretz wrote:
corresponding user in the users table - one use has many passwords (1:n). for dovecot this means that it will get multiple rows with passwords back from the "password_query". is there a way to tell dovecot to check all those returned passwords and "pass" the request if one of those passwords match?
I think no, but you could craft a PAM module and use the pam passdb or supply a checkpassword script:
http://wiki2.dovecot.org/PasswordDatabase
-- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32)
iQIcBAEBAgAGBQJUMqs9AAoJEKxm7Ju3UATuwIcP/jOLvioR1EsJCkhsHMG2GgoV bvafQznk8KOhTcTW0X3CrPRoV7D7Lmotw+2W3Z/YFR9w48ra/Tlf25PRGg7tv+KE Wx5xTFKZDzoXgW3Nn7Jg0ylBvgYTQQRFEZWBbwn+N/7hMfHagw0H66iaMqw3LV6A d6BnxjHI+Iq1w7EPPpplsMeqLMxSEbv1t7YrqC5n/ydnllRe7j4WFbkMYywAYxR5 WN8SfhuhvxFec3nSOftCVbVvVSFsAPN/n2OYxgVl5LvgLUdI9NUyqpxA/Rj2KVhb +V+/NB/TKEpIBe1Byeb1W8cLeijmgDWXiEQQhG8+3ld21cabqEyQvrRN93FJzHBx n71NTpNul98bZW4BPh4U2uzJMdDzbo8aD5WMJFwczrLwDj/CNhU2W2gh14F4AyhG W9eNRXn9ntdJ2hxhlCb8csLMf9rHd/XgzZkfGEzyvJKPRDONdD7HslP3gFAKo0du xoGe6fw3FJuGg16KkRFWE/dE25fk2y34iliqS1G3j4owMlj79pLV1JsDDI5A1heV f3JNUfMhb1b5lGAI31YoqG5/Ls/0bkMUT6p+BU2ZezYFAUSA2M3EwpsaJkwyu7Ov YTbAG7JOzp7dp/bk6R1PGg11qc9yDHBS4Rm4J+rdLFZ3ibImZ/+0Meb1pRbKLGwV iRaVYK07ag276MQqoLg3 =krqF -----END PGP SIGNATURE-----
I managed to write a ugly but working checkpassword script for dovecot, having multiple passwords for a user. But now I found this: https://github.com/dweuthen/roundcube-application_passwords
I think this is the better way to go. the crypt passwords are the biggest problem because you need the stored hash to generate the input hash. I know this is safer, but in my opinion SHA2 or what ever is best available hash in mysql something should do it as well.
having application passwords is a bigger security advantage than having stronger hashes in the database.
correct me if I'm wrong :-)
best regards Marco
On 06.10.2014 16:46, Marco Fretz wrote:
Thank you Steffen,
This sounds like a plan. checkpassword looks quite simple to use and I could still use default userdb with dovecot-sql for userhome, quota, etc. I'll give this a try.
thanks Marco
Am 06.10.2014 13:52, schrieb Steffen Kaiser:
On Mon, 6 Oct 2014, Marco Fretz wrote:
corresponding user in the users table - one use has many passwords (1:n). for dovecot this means that it will get multiple rows with passwords back from the "password_query". is there a way to tell dovecot to check all those returned passwords and "pass" the request if one of those passwords match?
I think no, but you could craft a PAM module and use the pam passdb or supply a checkpassword script:
-- Steffen Kaiser
participants (2)
-
Marco Fretz
-
Steffen Kaiser