[Dovecot] Secure Sockets Layer client certificate authentication
Hi everyone.
Please note, I've asked a very similar question before and I apologize for sounding like a broken record. Well here it goes.
What I want to do is authenticate my users using a certificate. Thereby authenticating both the user and server with strong tokens that are centrally managed. In the worst case scenario the user should only need to enter a password for the certificate store and then the certificate should trigger the appropriate level of access to their account.
Is Dovecot the correct tool for the job?
If yes then, how?
Else if not, then what would you recommend?
I have tried setting the auth mechanism to anonymous without any joy. My password file is set with nopassword. All my certificates work well with the Secure Sockets Layer system.
This is the configuration I am currently running: # 1.2.beta1: /opt/etc/dovecot/dovecot.conf # OS: Linux 2.6.12.6-arm1 armv5tejl log_path: /opt/var/log/dovecot.log info_log_path: /opt/var/log/dovecot-info.log protocols: imaps ssl_ca_file: /opt/etc/ssl.ca/cacrl.pem ssl_cert_file: /opt/etc/ssl.ca/newcerts/imap.cer ssl_key_file: /opt/etc/ssl.ca/private/imap.key ssl_parameters_regenerate: 24 ssl_cipher_list: ALL:!LOW:!SSLv2 ssl_verify_client_cert: yes disable_plaintext_auth: yes verbose_ssl: yes login_dir: /opt/var/run/dovecot/login login_executable: /opt/libexec/dovecot/imap-login login_user: guest login_processes_count: 2 login_max_processes_count: 4 mbox_write_locks: fcntl mail_process_size: 512 imap_client_workarounds: outlook-idle tb-negative-fetch auth default: user: admin verbose: yes debug: yes ssl_require_client_cert: yes ssl_username_from_cert: yes passdb: driver: passwd-file args: /opt/etc/dovecot/h.org/passwd userdb: driver: passwd
This is a log of a login attempt: dovecot: May 25 11:55:58 Info: auth(default): new auth connection: pid=22556 dovecot: May 25 11:56:08 Info: imap-login: Valid certificate: /O=home.org/emailAddress=admin@nas2.h.org/L=W/ST=C/C=G/CN=h.org dovecot: May 25 11:56:08 Info: imap-login: Valid certificate: /C=G/ST=C/O=h.org/OU=K F/CN=k dovecot: May 25 11:56:10 Info: auth(default): new auth connection: pid=22585 dovecot: May 25 11:56:16 Info: auth(default): client in: AUTH 1 PLAIN service=imap secured valid-client-cert cert_username=k lip=10.1.1.245 rip=10.1.1.1 lport=993 rport=53430 dovecot: May 25 11:56:16 Info: auth(default): client out: CONT 1 dovecot: May 25 11:56:16 Info: auth(default): client in: CONT<hidden> dovecot: May 25 11:56:16 Info: auth(default): passwd-file(k,10.1.1.1): lookup: user=k file=/opt/etc/dovecot/h.org/passwd dovecot: May 25 11:56:16 Info: auth(default): passwd-file(k,10.1.1.1): No password dovecot: May 25 11:56:16 Info: auth(default): client out: OK 1 user=k dovecot: May 25 11:56:16 Info: auth(default): master in: REQUEST 6 22164 1 dovecot: May 25 11:56:16 Info: auth(default): passwd(k,10.1.1.1): lookup dovecot: May 25 11:56:16 Info: auth(default): master out: USER 6 k system_user=k uid=500 gid=100 home=/ dovecot: May 25 11:56:16 Info: imap-login: Login: user=<k>, method=PLAIN, rip=10.1.1.1, lip=10.1.1.245, TLS
With this configuration the client will connect over ssl and identify itself with a certificate but a client password is still required.
-- Regards
Stephen.
On 5/25/2009, Stephen Feyrer (steve@toth.org.uk) wrote:
This is the configuration I am currently running: # 1.2.beta1: /opt/etc/dovecot/dovecot.conf
If you are going to run unstable versions of s/w, you should be prepared to run the *latest* versions as soon as they are released, in order to avoid wasting both your and the developers time troubleshooting/reporting problems that very well may be fixed already.
If/when you encounter a problem, check versions, update to latest if available, retest, *then* report problem if it still exists.
1.2.beta1 is 3.5 months old. *Lots* of changes since then.
--
Best regards,
Charles
Hi.
This is the latest version available to me.
Thanks.
Charles Marcus wrote:
On 5/25/2009, Stephen Feyrer (steve@toth.org.uk) wrote:
This is the configuration I am currently running: # 1.2.beta1: /opt/etc/dovecot/dovecot.conf
If you are going to run unstable versions of s/w, you should be prepared to run the *latest* versions as soon as they are released, in order to avoid wasting both your and the developers time troubleshooting/reporting problems that very well may be fixed already.
If/when you encounter a problem, check versions, update to latest if available, retest, *then* report problem if it still exists.
1.2.beta1 is 3.5 months old. *Lots* of changes since then.
On 5/25/2009 7:44 PM, Stephen Feyrer wrote:
This is the configuration I am currently running: # 1.2.beta1: /opt/etc/dovecot/dovecot.conf
If you are going to run unstable versions of s/w, you should be prepared to run the *latest* versions as soon as they are released, in order to avoid wasting both your and the developers time troubleshooting/reporting problems that very well may be fixed already.
If/when you encounter a problem, check versions, update to latest if available, retest, *then* report problem if it still exists.
1.2.beta1 is 3.5 months old. *Lots* of changes since then.
This is the latest version available to me.
No it isn't... but if you really believe this, then you shouldn't be running it (no offense).
--
Best regards,
Charles
On Mon, 2009-05-25 at 14:51 +0100, Stephen Feyrer wrote:
passdb: driver: passwd-file args: /opt/etc/dovecot/h.org/passwd .. With this configuration the client will connect over ssl and identify itself with a certificate but a client password is still required.
Right. A password is always required, but you can set Dovecot to accept any password. Set the password field empty in the passwd file and add nopassword extra field. http://wiki.dovecot.org/AuthDatabase/PasswdFile
Timo Sirainen wrote:
On Mon, 2009-05-25 at 14:51 +0100, Stephen Feyrer wrote:
passdb: driver: passwd-file args: /opt/etc/dovecot/h.org/passwd .. With this configuration the client will connect over ssl and identify itself with a certificate but a client password is still required.
Right. A password is always required, but you can set Dovecot to accept any password. Set the password field empty in the passwd file and add nopassword extra field. http://wiki.dovecot.org/AuthDatabase/PasswdFile
I have to admit I've seen that. I want to turn off password prompt entirely, in effect external authentication.
Is it a bad idea to remove the password prompt if any password will be accepted?
-- Kind regards
Stephen
On Tue, 2009-05-26 at 01:05 +0100, Stephen Feyrer wrote:
Right. A password is always required, but you can set Dovecot to accept any password. Set the password field empty in the passwd file and add nopassword extra field. http://wiki.dovecot.org/AuthDatabase/PasswdFile
I have to admit I've seen that. I want to turn off password prompt entirely, in effect external authentication.
Is it a bad idea to remove the password prompt if any password will be accepted?
There is an EXTERNAL SASL authentication mechanism, which I guess Dovecot could pretty easily support. But I'm not aware of any clients that support it even if I did bother to implement it.
On Mon, 2009-05-25 at 20:10 -0400, Timo Sirainen wrote:
There is an EXTERNAL SASL authentication mechanism, which I guess Dovecot could pretty easily support. But I'm not aware of any clients that support it even if I did bother to implement it.
Well, since it was the last missing SASL mechanism and was easy enough to implement, it's now in v1.2+: http://hg.dovecot.org/dovecot-1.2/rev/e3fe9b4a6a2d
Hi.
That's really cool!
Thanks.
-- Kind regards.
Stephen.
Timo Sirainen wrote:
On Mon, 2009-05-25 at 20:10 -0400, Timo Sirainen wrote:
There is an EXTERNAL SASL authentication mechanism, which I guess Dovecot could pretty easily support. But I'm not aware of any clients that support it even if I did bother to implement it.
Well, since it was the last missing SASL mechanism and was easy enough to implement, it's now in v1.2+: http://hg.dovecot.org/dovecot-1.2/rev/e3fe9b4a6a2d
participants (3)
-
Charles Marcus
-
Stephen Feyrer
-
Timo Sirainen