Disabling auth fallback to PAM
Hi folks,
According to the wiki,¹ it's considered a feature of Dovecot and its ability to support multiple authentication sources that "if the password doesn't match in the first database, it checks the next one".
¹) http://wiki.dovecot.org/Authentication/MultipleDatabases
I think it's great that Dovecot allows auth sources to be stacked like this, but I am not sold on the idea that the next database ought to be tried when a *password* does not match. Let me elaborate:
If the first database has knowledge of a user, then it can (should) be considered authoritative, and if the provided password does not match, it's an authentication error right away. Only if the first source does not posess any knowledge about a given user, then should Dovecot proceed to query/check with the next database.
Can this be configured somehow? If not, would it make sense to make this behaviour configurable?
Thanks,
-- @martinkrafft | http://madduck.net/ | http://two.sentenc.es/
"the ships hung in the sky in much the same way that bricks don't." -- hitchhiker's guide to the galaxy
spamtraps: madduck.bogus@madduck.net
On 17 Nov 2015, at 22:51, martin f krafft <madduck@madduck.net> wrote:
Hi folks,
According to the wiki,¹ it's considered a feature of Dovecot and its ability to support multiple authentication sources that "if the password doesn't match in the first database, it checks the next one".
¹) http://wiki.dovecot.org/Authentication/MultipleDatabases
I think it's great that Dovecot allows auth sources to be stacked like this, but I am not sold on the idea that the next database ought to be tried when a *password* does not match. Let me elaborate:
If the first database has knowledge of a user, then it can (should) be considered authoritative, and if the provided password does not match, it's an authentication error right away. Only if the first source does not posess any knowledge about a given user, then should Dovecot proceed to query/check with the next database.
Can this be configured somehow? If not, would it make sense to make this behaviour configurable?
Well, your topic is PAM.. And PAM doesn't necessarily tell you if the problem is that the user doesn't exist or that the password doesn't match. Another similar problem is checkpassword script. And LDAP with auth_bind=yes. And some ways of configuring SQL..
But.. Right now passdb has result_success, result_failure and result_internalfail. I suppose it should be possible to add result_user_unknown there that defaults to result_failure if it's not explicitly set. It wouldn't work with all passdb setups, but it would work for some. I've added it to my TODO list, but that's quite long already and this is near the bottom of it. So if you want it to be added to Dovecot anytime soon please send a patch. Shouldn't be difficult to implement.
also sprach Timo Sirainen <tss@iki.fi> [2015-11-21 14:14 +1300]:
Well, your topic is PAM.
Is it? My point is that PAM should not even be asked if an authentication source beforehand knows about a user but the password cannot be verified.
But.. Right now passdb has result_success, result_failure and result_internalfail. I suppose it should be possible to add result_user_unknown there that defaults to result_failure if it's not explicitly set.
result_user_known should be resturned when the authentication source does not know about a user.
If the authentication source knows a user but fails to authenticate him/her due to a password mismatch, the result should rather be result_auth_failure.
Those two should really replace result_failure and the dovecot authentication stack should only continue on result_user_known or result_internalfail. If we get result_success or result_auth_failure, then authentication is done and no further sources should be considered.
-- @martinkrafft | http://madduck.net/ | http://two.sentenc.es/
only by counting could humans demonstrate their independence of computers. -- douglas adams, "the hitchhiker's guide to the galaxy"
spamtraps: madduck.bogus@madduck.net
participants (2)
-
martin f krafft
-
Timo Sirainen