cram-md5, sasl and lua (inheriting technical debt)
Hello,
I am exploring the posibility of migrating an exsisting setup to postfix+dovecot. The issue being that many clients are currently configured for cram-md5 authentication. I am fully aware that this is a really, really, really bad idea, but re configuring all clients at once is not feasible with limited end user support resources. I have a setup running with LUA for the passdb, and everything works with PLAIN login.
To keep compatibility with the PLAIN login mechanism i have tried to store {PLAIN} passwords in the DB, since proper secure password storage is incompatible with CRAM-MD5.
My issue is that the LUA function auth_password_verify(req, pass) not even seems to be called for cram-md5 logins. Reading through the documentation also seems to indicate that the callenge is not passed to the LUA function making it impossible to compute the hash in LUA or the function req.password_verify(req, row.password, pass).
Is my assumption correct that cram-md5 can not work with a LUA script ?
Kind regards, Peter K.
On 18/07/2023 13:59 EEST tknb8@tunenet.dk wrote:
Hello,
I am exploring the posibility of migrating an exsisting setup to postfix+dovecot. The issue being that many clients are currently configured for cram-md5 authentication. I am fully aware that this is a really, really, really bad idea, but re configuring all clients at once is not feasible with limited end user support resources. I have a setup running with LUA for the passdb, and everything works with PLAIN login.
To keep compatibility with the PLAIN login mechanism i have tried to store {PLAIN} passwords in the DB, since proper secure password storage is incompatible with CRAM-MD5.
My issue is that the LUA function auth_password_verify(req, pass) not even seems to be called for cram-md5 logins. Reading through the documentation also seems to indicate that the callenge is not passed to the LUA function making it impossible to compute the hash in LUA or the function req.password_verify(req, row.password, pass).
Is my assumption correct that cram-md5 can not work with a LUA script ?
Kind regards, Peter K.
Hi!
CRAM-MD5 only works if you return a credential, so you need to use auth_passdb_lookup to return it with {PLAIN} prefix. It's not possible to use Lua script to calculate it yourself.
There is also CRAM-MD5 password scheme, but calculating that is slightly difficult, so i'd just return the PLAIN password from auth_passdb_lookup instead.
Aki
Aki
participants (2)
-
Aki Tuomi
-
tknb8@tunenet.dk