[Dovecot] auth_debug_passwords
Hi. I'm new to Dovecot and about to start using it in production. In the config file, I set the option, auth_debug_passwords, to yes. I do not see any failed passwords logged, however. It did cause more verbose authentication logging, but failed passwords are still hidden.
I have also set these options to yes, because I thought they might be required for auth_debug_passwords to work:
auth_verbose = yes auth_debug = yes
Here's an example of what I see with a failed login:
Feb 3 17:03:36 ebi5 dovecot: auth-worker(default): pam(jkd,some IP): lookup service=dovecot Feb 3 17:03:36 ebi5 dovecot: auth-worker(default): pam(jkd,some IP): #1/1 style=1 msg=Password: Feb 3 17:03:36 ebi5 dovecot: auth-worker(default): pam(jkd,some IP): pam_authenticate() failed: authentication error (password mismatch?) Feb 3 17:03:38 ebi5 dovecot: auth(default): client out: FAIL 1 user=jkd Feb 3 17:03:38 ebi5 dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<jkd>, method=PLAIN, rip=some IP, lip=some IP
-------Version and config below----------
host:/var/log# dovecot --version 1.1.8
host:/var/log# dovecot -n
# 1.1.8: /usr/local/etc/dovecot.conf
# OS: FreeBSD 7.1-RELEASE-p2 i386
base_dir: /var/run/dovecot/
protocols: imap imaps pop3 pop3s
ssl_cert_file: /etc/mail/certs/mail.ourdomain.com.pem
ssl_key_file: /etc/mail/certs/mail.ourdomain.com.pem
ssl_cipher_list: ALL:!LOW:!SSLv2
disable_plaintext_auth: no
login_dir: /var/run/dovecot/login
login_executable(default): /usr/local/libexec/dovecot/imap-login
login_executable(imap): /usr/local/libexec/dovecot/imap-login
login_executable(pop3): /usr/local/libexec/dovecot/pop3-login
login_greeting_capability(default): yes
login_greeting_capability(imap): yes
login_greeting_capability(pop3): no
verbose_proctitle: yes
first_valid_uid: 1000
first_valid_gid: 100
mail_privileged_group: mail
mail_location: mbox:~/:INBOX=/var/mail/%u:INDEX=/var/dovecot/%u
mail_full_filesystem_access: yes
mmap_disable: yes
mail_nfs_storage: yes
mail_nfs_index: yes
lock_method: dotlock
mbox_lock_timeout: 120
dbox_rotate_days: 0
mail_executable(default): /usr/local/libexec/dovecot/imap
mail_executable(imap): /usr/local/libexec/dovecot/imap
mail_executable(pop3): /usr/local/libexec/dovecot/pop3
mail_plugin_dir(default): /usr/local/lib/dovecot/imap
mail_plugin_dir(imap): /usr/local/lib/dovecot/imap
mail_plugin_dir(pop3): /usr/local/lib/dovecot/pop3
imap_client_workarounds(default): delay-newmail netscape-eoh tb-extra-mailbox-sep
imap_client_workarounds(imap): delay-newmail netscape-eoh tb-extra-mailbox-sep
imap_client_workarounds(pop3):
pop3_reuse_xuidl(default): no
pop3_reuse_xuidl(imap): no
pop3_reuse_xuidl(pop3): yes
pop3_client_workarounds(default):
pop3_client_workarounds(imap):
pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh
auth default:
mechanisms: plain login
username_format: %Lu
winbind_helper_path: /usr/local/bin/ntlm_auth
verbose: yes
debug: yes
debug_passwords: yes
passdb:
driver: pam
args: session=yes dovecot
userdb:
driver: passwd
args: blocking=yes
socket:
type: listen
client:
path: /var/run/dovecot/auth-client
mode: 432
master:
path: /var/run/dovecot/auth-master
mode: 384
host:/var/log#
Thanks for any light you could shine on this problem.
Josh
-- Josh Gentry help@swcp.com * jgentry@swcp.com * 505-232-7992 Customer service in the 21st century.
Josh Gentry wrote:
Hi. I'm new to Dovecot and about to start using it in production. In the config file, I set the option, auth_debug_passwords, to yes. I do not see any failed passwords logged, however. It did cause more verbose authentication logging, but failed passwords are still hidden.
That option is not for logging passwords, but to ease problem investigation in case something is not working as it should.
There might be a way to log password attempts, but it's not a good idea from the point of view of security, so I'm glad it's not so easy to have them logged.
Remember that a failed password might be someone using a dictionary attack, but can be an user that simply mistyped one character in his password. But even in the first case, what good would it do to know what words an attacker is using?
-- Q: Why does Washington have the most lawyers per capita and New Jersey the most toxic waste dumps? A: God gave New Jersey first choice.
Eduardo M KALINOWSKI eduardo@kalinowski.com.br http://move.to/hpkb
On Wed, Feb 04, 2009 at 08:52:10AM -0200, Eduardo M KALINOWSKI wrote:
Josh Gentry wrote:
Hi. I'm new to Dovecot and about to start using it in production. In the config file, I set the option, auth_debug_passwords, to yes. I do not see any failed passwords logged, however. It did cause more verbose authentication logging, but failed passwords are still hidden.
That option is not for logging passwords, but to ease problem investigation in case something is not working as it should.
Well, its both, right. It's for logging the incorrect password when authentication fails. We are an ISP, we do a LOT of email, and password problems are major tech support load. Being able to tell the customer that, yes, they have their caps lock on cause I can see they are sending the password in all caps, would be a big help. We do the same thing with RADIUS logging, and its very useful.
Thanks,
Josh
-- Josh Gentry help@swcp.com * jgentry@swcp.com * 505-232-7992 Customer service in the 21st century.
On Wed, 2009-02-04 at 08:52 -0200, Eduardo M KALINOWSKI wrote:
Josh Gentry wrote:
Hi. I'm new to Dovecot and about to start using it in production. In the config file, I set the option, auth_debug_passwords, to yes. I do not see any failed passwords logged, however. It did cause more verbose authentication logging, but failed passwords are still hidden.
That option is not for logging passwords, but to ease problem investigation in case something is not working as it should.
Well, yes, but it's about investigating why logins are failing due to password mismatches, so logging the password in that case is useful. It was already done with pretty much all passdbs except PAM.
On Tue, 2009-02-03 at 17:33 -0700, Josh Gentry wrote:
I have also set these options to yes, because I thought they might be required for auth_debug_passwords to work: .. pam(jkd,some IP): pam_authenticate() failed: authentication error (password mismatch?)
Hmm. Here you go: http://hg.dovecot.org/dovecot-1.1/rev/11112baa8592
Thanks!
Josh
On Wed, Feb 04, 2009 at 12:24:48PM -0500, Timo Sirainen wrote:
On Tue, 2009-02-03 at 17:33 -0700, Josh Gentry wrote:
I have also set these options to yes, because I thought they might be required for auth_debug_passwords to work: .. pam(jkd,some IP): pam_authenticate() failed: authentication error (password mismatch?)
Hmm. Here you go: http://hg.dovecot.org/dovecot-1.1/rev/11112baa8592
-- Josh Gentry help@swcp.com * jgentry@swcp.com * 505-232-7992 Customer service in the 21st century.
participants (3)
-
Eduardo M KALINOWSKI
-
Josh Gentry
-
Timo Sirainen