[Dovecot] multiple passwords in different schemes
Timo wrote : "In future it's possible that Dovecot could support multiple passwords in different schemes for a single user.".
Is it planned in the nearest future? :-)
Best regards,
MU
On Tue, 2009-01-20 at 21:02 +0100, Maciej Uhlig wrote:
Timo wrote : "In future it's possible that Dovecot could support multiple passwords in different schemes for a single user.".
Is it planned in the nearest future? :-)
I've implemented it (or actually something that's a bit more generic) this far: http://dovecot.org/patches/1.2/auth-multi-password.diff
But IIRC it's still missing things and I decided it's not worth the effort right now.
Timo Sirainen wrote:
I've implemented it (or actually something that's a bit more generic) this far: http://dovecot.org/patches/1.2/auth-multi-password.diff
But IIRC it's still missing things and I decided it's not worth the effort right now.
I see. FYI I'd like to allow an user to authenticate for postfix: at work using PLAIN (with TLS) and at home using CRAM-MD5, while different scheme passwords are stored in LDAP directory. Would your auth-multi-password patch be enough for this purpose?
Best regards,
MU
On Tue, 2009-01-20 at 21:15 +0100, Maciej Uhlig wrote:
Timo Sirainen wrote:
I've implemented it (or actually something that's a bit more generic) this far: http://dovecot.org/patches/1.2/auth-multi-password.diff
But IIRC it's still missing things and I decided it's not worth the effort right now.
I see. FYI I'd like to allow an user to authenticate for postfix: at work using PLAIN (with TLS) and at home using CRAM-MD5, while different scheme passwords are stored in LDAP directory. Would your auth-multi-password patch be enough for this purpose?
If the password is the same in both cases, you can simply use a single CRAM-MD5 scheme. Dovecot can do plaintext authentication against all schemes just fine.
Timo Sirainen:
If the password is the same in both cases, you can simply use a single CRAM-MD5 scheme. Dovecot can do plaintext authentication against all schemes just fine.
Actually I happen not to understand the above :-( I thought PLAIN is a plaintext schema while CRAM-MD5 is non-plaintext schema and it's impossible to have the same password in mixed schemas stored in one database used for different authentication mechanisms (i.e. PLAIN and CRAM-MD5). Moreover there is no fallback using mechanism other than PLAIN. What am I missing here?
Yes, the password is the same in both cases, but it is stored twice: as a MD5 hash and as a CRAM-MD5 hash.
Best regards,
MU
On Tue, 2009-01-20 at 21:42 +0100, Maciej Uhlig wrote:
Timo Sirainen:
If the password is the same in both cases, you can simply use a single CRAM-MD5 scheme. Dovecot can do plaintext authentication against all schemes just fine.
Actually I happen not to understand the above :-( I thought PLAIN is a plaintext schema while CRAM-MD5 is non-plaintext schema and it's impossible to have the same password in mixed schemas stored in one database used for different authentication mechanisms (i.e. PLAIN and CRAM-MD5). Moreover there is no fallback using mechanism other than PLAIN. What am I missing here?
Yes, it's not possible to store two different schemas. But the point is that plaintext authentication (PLAIN or LOGIN auth mechanism) can verify the password against ANY schema.
Yes, the password is the same in both cases, but it is stored twice: as a MD5 hash and as a CRAM-MD5 hash.
Just don't store the MD5 hash, it's unnecessary.
participants (2)
-
Maciej Uhlig
-
Timo Sirainen