[Dovecot] Migarting password scheme
Hello,
by the move to Dovecot we try to alter the password encryption stored
in the database from MD5 to CRYPT-SHA256 along the Guide at
http://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes. It's mostly
working but i still have not found out how to pass the cleartext
password to the re-encrypting script. According to the HowTo it should
be enough to add "'%w' AS userdb_plain_pass" to the passdb query, to
get a environment variable $PLAIN_PASS in the post-login script to
pass along.
This does not work eg. PLAIN_PASS is always empty. This is Dovecot
2.0.19 from Ubuntu 12.04 LTS.
Thanks for any help
Regards
Andreas
On 13-03-21 12:51 PM, lst_hoe02@kwsoft.de wrote:
by the move to Dovecot we try to alter the password encryption stored in the database from MD5 to CRYPT-SHA256 along the Guide at http://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes. It's mostly working but i still have not found out how to pass the cleartext password to the re-encrypting script. According to the HowTo it should be enough to add "'%w' AS userdb_plain_pass" to the passdb query, to get a environment variable $PLAIN_PASS in the post-login script to pass along. This does not work eg. PLAIN_PASS is always empty. This is Dovecot 2.0.19 from Ubuntu 12.04 LTS. It seems to depends on how you are doing your userdb, not passdb..
I use a static userdb, so I have:
userdb { args = uid=xx gid=xx home=/xx/xx/%d/%n plain_pass=%w driver = static }
-- Daryl Richards Isle Technical Services Inc.
Zitat von Daryl Richards daryl@isletech.net:
On 13-03-21 12:51 PM, lst_hoe02@kwsoft.de wrote:
by the move to Dovecot we try to alter the password encryption
stored in the database from MD5 to CRYPT-SHA256 along the Guide at
http://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes. It's mostly
working but i still have not found out how to pass the cleartext
password to the re-encrypting script. According to the HowTo it
should be enough to add "'%w' AS userdb_plain_pass" to the passdb
query, to get a environment variable $PLAIN_PASS in the post-login
script to pass along. This does not work eg. PLAIN_PASS is always empty. This is Dovecot
2.0.19 from Ubuntu 12.04 LTS. It seems to depends on how you are doing your userdb, not passdb..I use a static userdb, so I have:
userdb { args = uid=xx gid=xx home=/xx/xx/%d/%n plain_pass=%w driver = static }
-- Daryl Richards Isle Technical Services Inc.
Will try that, thanks.
Andreas
Zitat von lst_hoe02@kwsoft.de:
Zitat von Daryl Richards daryl@isletech.net:
On 13-03-21 12:51 PM, lst_hoe02@kwsoft.de wrote:
by the move to Dovecot we try to alter the password encryption
stored in the database from MD5 to CRYPT-SHA256 along the Guide at
http://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes. It's mostly
working but i still have not found out how to pass the cleartext
password to the re-encrypting script. According to the HowTo it
should be enough to add "'%w' AS userdb_plain_pass" to the passdb
query, to get a environment variable $PLAIN_PASS in the post-login
script to pass along. This does not work eg. PLAIN_PASS is always empty. This is Dovecot
2.0.19 from Ubuntu 12.04 LTS. It seems to depends on how you are doing your userdb, not passdb..I use a static userdb, so I have:
userdb { args = uid=xx gid=xx home=/xx/xx/%d/%n plain_pass=%w driver = static }
-- Daryl Richards Isle Technical Services Inc.
Will try that, thanks.
Andreas
Hm, no. Same result. The username works fine but the plaintext
password is not available eg. $PLAIN_PASS is always empty when
invoking the script.
Settings from 10-master.conf:
service imap { # TEMP fuer Password Hashes executable = imap imap-postlogin # Most of the memory goes to mmap()ing files. You may need to increase this # limit if you have huge mailboxes. #vsz_limit = 256M
# Max. number of IMAP processes (connections) #process_limit = 1024 process_limit = 100 }
service imap-postlogin { executable = script-login /etc/dovecot/convert.sh # user = $default_internal_user unix_listener imap-postlogin { } }
from 10-auth.conf:
passdb { driver = sql args = /etc/dovecot/dovecot-sql.conf.ext }
userdb {
driver = static
args = uid=dovemail gid=dovemail home=/var/dovecot/home/%n
mail=sdbox:/var/dovecot/mail/%n:LAYOUT=fs plainpass=%w
}
and the script invoked:
#!/bin/sh echo $USER >> /etc/dovecot/test.log echo $PLAINPASS >> /etc/dovecot/test.log echo $HOME >> /etc/dovecot/test.log
/etc/dovecot/pwd-sha.php $USER $PLAINPASS exec "$@"
The test with echo variable to file show that $PLAINPASS is always
missing whil the others are there as expected.
Can anyone confirm that it actually works this way??
Regards
Andreas
On 13-03-21 4:29 PM, lst_hoe02@kwsoft.de wrote:
userdb { driver = static args = uid=dovemail gid=dovemail home=/var/dovecot/home/%n mail=sdbox:/var/dovecot/mail/%n:LAYOUT=fs plainpass=%w }
and the script invoked:
#!/bin/sh echo $USER >> /etc/dovecot/test.log echo $PLAINPASS >> /etc/dovecot/test.log echo $HOME >> /etc/dovecot/test.log I can confirm it works... The variable is actually plain_pass, and $PLAIN_PASS, with the underscore.
-- Daryl Richards Isle Technical Services Inc.
Zitat von Daryl Richards daryl@isletech.net:
On 13-03-21 4:29 PM, lst_hoe02@kwsoft.de wrote:
userdb { driver = static args = uid=dovemail gid=dovemail home=/var/dovecot/home/%n
mail=sdbox:/var/dovecot/mail/%n:LAYOUT=fs plainpass=%w }and the script invoked:
#!/bin/sh echo $USER >> /etc/dovecot/test.log echo $PLAINPASS >> /etc/dovecot/test.log echo $HOME >> /etc/dovecot/test.log I can confirm it works... The variable is actually plain_pass, and
$PLAIN_PASS, with the underscore.
If have first used also plain_pass without success. The plainpass was
used as test to see if there is some problem with the "_". What
Dovecot version do you use?
Regards
Andreas
On 21.3.2013, at 18.51, lst_hoe02@kwsoft.de wrote:
Hello,
by the move to Dovecot we try to alter the password encryption stored in the database from MD5 to CRYPT-SHA256 along the Guide at http://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes. It's mostly working but i still have not found out how to pass the cleartext password to the re-encrypting script. According to the HowTo it should be enough to add "'%w' AS userdb_plain_pass" to the passdb query, to get a environment variable $PLAIN_PASS in the post-login script to pass along. This does not work eg. PLAIN_PASS is always empty. This is Dovecot 2.0.19 from Ubuntu 12.04 LTS.
userdb_plain_pass method requires that you use userdb prefetch.
And Daryl's method of using %w in regular userdb .. I'm not really sure how well that works. Could easily be that different Dovecot versions behave differently.
Zitat von Timo Sirainen tss@iki.fi:
On 21.3.2013, at 18.51, lst_hoe02@kwsoft.de wrote:
Hello,
by the move to Dovecot we try to alter the password encryption
stored in the database from MD5 to CRYPT-SHA256 along the Guide at
http://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes. It's mostly
working but i still have not found out how to pass the cleartext
password to the re-encrypting script. According to the HowTo it
should be enough to add "'%w' AS userdb_plain_pass" to the passdb
query, to get a environment variable $PLAIN_PASS in the post-login
script to pass along. This does not work eg. PLAIN_PASS is always empty. This is Dovecot
2.0.19 from Ubuntu 12.04 LTS.userdb_plain_pass method requires that you use userdb prefetch.
And Daryl's method of using %w in regular userdb .. I'm not really
sure how well that works. Could easily be that different Dovecot
versions behave differently.
Hello,
with "userdb prefetch" it works. Sorry it was not clear to me that
userdb prefetch *must* be used to get *this* userdb setting to work.
Maybe it should be listed at
http://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes. Furthermore the
example listed there does a migration from CRYPT to SHA256 (salted)
but not CRYPT-SHA256 which is recommended, no?
Regards
Andreas
On 21/03/2013 17:39, Timo Sirainen wrote:
userdb_plain_pass method requires that you use userdb prefetch. And Daryl's method of using %w in regular userdb .. I'm not really sure how well that works. Could easily be that different Dovecot versions behave differently.
So, basically what I am doing may fail at any time? Guess it's time to go play with config.
BTW, I'm using 2.1.15 so it still works there...
On 22.3.2013, at 20.13, Daryl Richards daryl@isletech.net wrote:
On 21/03/2013 17:39, Timo Sirainen wrote:
userdb_plain_pass method requires that you use userdb prefetch. And Daryl's method of using %w in regular userdb .. I'm not really sure how well that works. Could easily be that different Dovecot versions behave differently.
So, basically what I am doing may fail at any time? Guess it's time to go play with config.
BTW, I'm using 2.1.15 so it still works there…
Well, I think v2.0 cleared the password early and v2.1 only after everything is fully finished. And I'm not at least planning changing it back. So I guess your config will stay working. :)
participants (3)
-
Daryl Richards
-
lst_hoe02@kwsoft.de
-
Timo Sirainen